[Oisf-devel] strange FP on suricata v101/100
Will Metcalf
william.metcalf at gmail.com
Fri Aug 6 13:08:01 UTC 2010
Ok again sorry for the delay. Having a look now.
Regards,
Will
On Fri, Aug 6, 2010 at 7:43 AM, rmkml <rmkml at free.fr> wrote:
> Hi,
> Nothing confirmed this case, but I have opened new ticket: 227.
> Please check and maybe fix.
> Regards
> Rmkml
>
>
> On Wed, 4 Aug 2010, rmkml wrote:
>
>> Hi,
>> Anyone interested for testing please?
>> Regards
>> Rmkml
>>
>>
>> On Sun, 1 Aug 2010, rmkml wrote:
>>
>>> Hi,
>>> I have a strange FP with theses two sigs:
>>> alert tcp any 80 -> any any (msg:"http reply 1";
>>> flow:to_client,established; content:"HTTP/1."; nocase; depth:7; content:!"
>>> 200 OK"; nocase; distance:1; content:!" 206 Partial Content"; nocase;
>>> distance:1; classtype:attempted-admin; sid:9014691; rev:1; )
>>> alert tcp any 80 -> any any (msg:"http reply 2";
>>> flow:to_client,established; content:"HTTP/1."; content:" Expect"; nocase;
>>> within:20; distance:0; classtype:misc-attack; sid:9014252; rev:1;)
>>> suricata v101/100 generate two alerts:
>>> 07/30/10-16:06:26.005780 [**] [1:9014691:1] http reply 1 [**]
>>> [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6}
>>> 66.249.92.104:80 -> 192.168.70.5:56913
>>> 07/30/10-16:10:26.004807 [**] [1:9014691:1] http reply 1 [**]
>>> [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6}
>>> 66.249.92.104:80 -> 192.168.70.5:56913
>>> but if you disable second sig/sid (9014252), only one alert fire.
>>> Why second alert not fire if I disable second sig/sid please?
>>> Contact if you need pcap file because private trafic.
>>> If you want/confirm, Im open new ticket on redmine.
>>> Regards
>>> Rmkml
>>>
>>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
More information about the Oisf-devel
mailing list