[Oisf-devel] {5} Suricata v0.8.0 and distance with only one previous content...
rmkml
rmkml at free.fr
Sat Jan 2 17:10:05 UTC 2010
Hi,
After small testing, I have a new small question with this signature:
alert tcp any any -> any 80 (msg:"test"; content:"test"; nocase; distance:200; sid:1; rev:1;)
If I start suricata:
./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
...
[15389] 2/1/2010 -- 21:48:31 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: test.rules
[15389] 2/1/2010 -- 21:48:31 - (detect-distance.c:48) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(69)] - distance needs two preceeding content options
On snort, this signature work, Im search 'test' string after beginning distance 200...
Regards
Rmkml
Crusoe-Researches.com
More information about the Oisf-devel
mailing list