[Oisf-devel] FP with suricata yesterday git
rmkml
rmkml at free.fr
Sun Jun 6 16:56:03 UTC 2010
and it's special, because, if you extract only 3ieme packet, no alert!
Regards
Rmkml
On Sun, 6 Jun 2010, rmkml wrote:
> Hi,
> Maybe Im find a regression between suricata v0.9.1 and yesterday git
> (79443b1991840930ded4b8f09ba6de7b000912d9)
> If anyone confirm ? Im open a new ticket...
> ok with this old sig, I have a FP with joigned my (anonymized) pcap file:
> alert udp any any -> any 53 (msg:"DNS zone transfer UDP"; content:"|00 00
> FC|"; offset:14; classtype:attempted-recon; sid:1948; rev:6;)
> alert firing:
> 04/01/09-14:36:40.894688 [**] [1:1948:6] DNS zone transfer UDP [**]
> [Classification: ...] [Priority: 3] {1} 10.50.1.143:3 -> 142.27.128.1:3
> Joigned pcap file contains 3 packets: first is dns A request, second is dns
> reply, third is icmp port (dns) unreach (FP hear).
> It's not a fuzzing, it's "normal" dns trafic.
> Snort not firing, maybe it's a new Suricata feature?
> Regards
> Rmkml
More information about the Oisf-devel
mailing list