[Oisf-devel] strange FP on suricata v101/100
rmkml
rmkml at free.fr
Wed Aug 4 17:46:46 UTC 2010
Hi,
Anyone interested for testing please?
Regards
Rmkml
On Sun, 1 Aug 2010, rmkml wrote:
> Hi,
> I have a strange FP with theses two sigs:
> alert tcp any 80 -> any any (msg:"http reply 1"; flow:to_client,established;
> content:"HTTP/1."; nocase; depth:7; content:!" 200 OK"; nocase; distance:1;
> content:!" 206 Partial Content"; nocase; distance:1;
> classtype:attempted-admin; sid:9014691; rev:1; )
> alert tcp any 80 -> any any (msg:"http reply 2"; flow:to_client,established;
> content:"HTTP/1."; content:" Expect"; nocase; within:20; distance:0;
> classtype:misc-attack; sid:9014252; rev:1;)
> suricata v101/100 generate two alerts:
> 07/30/10-16:06:26.005780 [**] [1:9014691:1] http reply 1 [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6}
> 66.249.92.104:80 -> 192.168.70.5:56913
> 07/30/10-16:10:26.004807 [**] [1:9014691:1] http reply 1 [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6}
> 66.249.92.104:80 -> 192.168.70.5:56913
> but if you disable second sig/sid (9014252), only one alert fire.
> Why second alert not fire if I disable second sig/sid please?
> Contact if you need pcap file because private trafic.
> If you want/confirm, Im open new ticket on redmine.
> Regards
> Rmkml
>
More information about the Oisf-devel
mailing list