Project

General

Profile

Bug #5541

Updated by Brandon Murphy over 2 years ago

Please consider the following rule and attached pcaps.  

 The intention of the rule is to alert when the http.host buffer does not _end with_ <code>.google.com</code> 

 <pre> 
 alert http $HOME_NET any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1;) 
 </pre> 

 However, in practice the <code>endswith;</code> keyword (and the use of <code>isdataat:!1,relative</code>) seems to have no effect on and the leading negated content match and appears to be is applied to the entire buffer, thus resulting in a False Negative. 

 buffer.  

 If the http host of <code>www.google.com.example.com</code> is provided, observed, the negation appears to take effect and no alert is triggered, despite the buffer not ending with <code>.google.com</code> 

 In the attached pcaps, I would expect the above this signature to fire on host_negation_2.pcap but not host_negation_1.pcap. In practice, the alert does not fire on either of the attached pcaps and leads to a False Negative. pcaps.

Back