Over the last few months I've noticed some strange behavior in a few of the HTTP engine sigs. false positives and no indication in the alarm or even in a trace as to why it triggered. Which sucks of course because all I do anymore is chase down false positives...I don't need false positives that don't even match the signature.
For the HTTP engine, if there are multiple regex strings do all of them have to be matched [in a single HTTP request] for the alarm to fire? I was told at one time they did.
I created a custom sig with this engine with the following regex:
Specify URI Regex: [/\\][Ss][Ee][Aa][Rr][Cc][Hh]
Request Regex: helloregexthello
I watched the sensor for a few minutes and this alarm was not firing. Then I removed the signature and applied the config. DOH! Now I see 100+ alarms for this signature. Can someone from Cisco explain this? Here is an example of the alarm:
If there are multiple regexes in a signature, they all have to be matched for the signature to fire.
Even if a signature is deleted, its config is not deleted immediately in the sensor. Any traffic that started before the signature was deleted may still reference the old config. If you start a new traffic session, you should not see the signature fire. Are you seeing the signature trigger in this case?
I may not be able to give any explanation as to why the signature did not fire before, other than that the regexes in the signature might not have matched. If you could give us the pcap that you used, the dev team will test it and let you know.
This signature should have never fired at all. I purposely chose a URI regex that was very common (/search) and a request regex that would never exist on the network (helloregexthello).
It didn't fire until I applied a signature change...and then it fired many, MANY times. In those alerts, the only thing that matched in the saved packet data was the URL regex (and they were search requests to google,yahoo,etc...almost all GET requests). To the untrained eye, this certainly suggests a problem with the way regex matching works when the process(es) stop and/or start.