Hi!
Using a curl to testmyids.com does not return the GPL attack signature. Instead, the following signature is alerted.
That rule looks like it will match any curl user agent going out.
If both could match that traffic, is it possible this is either a higher priority or listed before the rule you expect to trigger?
Understood.
But now it´s not generating any alert. yesterday it was working well
Testmyids.com has a force redirect to https making it not that useful for this type of testing. We’ve updated our docs to use curl http://testmynids.org/uid/index.html which does not redirect to https and works for this purpose.
2 Likes
Can´t thank you enough!
Hi
I have created this rule:
alert ip any any → any any (msg:“Browser GPL ATTACK_RESPONSE id check returned root”; flow:established,to_client; http.response_body; content:“uid=0|28|root|29|”; classtype:bad-unknown; sid:1658581; rev:1; metadata:created_at 2024_06_16, updated_at 2024_06_16;)
But it stills doesn’t work when accessing testmyids.com or http://testmynids.org/uid/index.html by browser.
It works when using CURL from the same computer, but not when using browser. I have checked it’s not forcing https.
I’ll thank any help.
I’d really like to make it work like a personal callenge 
Thanks
Do you see the related event_type for flow and http if you try it from the browser?