FN with http_header and pcreH followed by same http_header+distance0...

[Rm Kml <rmkml () yahoo fr>]

Hi,

Someone check this on snort v2.9.3(.0) please?

ok first test, snort not fire = FN
 alert tcp any any -> any 80 (msg:"test 1 FN"; flow:to_server,established; content:"linux-gnu"; nocase; http_header; 
pcre:"/Wget/Hsmi"; content:"linux-gnu"; nocase; http_header; distance:0; classtype:web-application-activity; sid:1; 
rev:1;)
-> but why ?

ok second test, snort fire = good
 alert tcp any any -> any 80 (msg:"test 2 ok"; flow:to_server,established; content:"linux-gnu"; nocase; 
pcre:"/Wget/smi"; content:"linux-gnu"; nocase; distance:0; classtype:web-application-activity; sid:2; rev:1;)

ok third test, snort fire = good
 alert tcp any any -> any 80 (msg:"test 3 ok"; flow:to_server,established; pcre:"/Wget/Hsmi"; content:"linux-gnu"; 
nocase; http_header; distance:0; classtype:web-application-activity; sid:3; rev:1;)

test with simple wget command:
 wget http://www.kernel.org/abc.html
http request:
 GET /abc.html HTTP/1.0
 User-Agent: Wget/1.12 (linux-gnu)
 ...

Joigned wget example pcap file.

Please Credits to rmkml.
Suricata engine [OISF] fire every times, thx you.
Regards
Rmkml

Attachment: testsnortfn.pcap
Description:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!