[Oisf-devel] small pb (FN) on suricata with content and offset+depth
Will Metcalf
william.metcalf at gmail.com
Fri May 21 16:40:41 UTC 2010
Thanks Rmkml!
On Fri, May 21, 2010 at 9:19 AM, rmkml <rmkml at free.fr> wrote:
> Thx again for reply Will,
> I have opened ticket #164.
> Regards
> Rmkml
>
>
> On Fri, 21 May 2010, Will Metcalf wrote:
>
>> Confirmed. This is a bug. The first sig should fire given the attached
>> pcap.
>>
>> Regards,
>>
>> Will
>>
>> On Fri, May 21, 2010 at 5:27 AM, rmkml <rmkml at free.fr> wrote:
>>>
>>> and if anyone confirm, Im open a ticket...
>>> Rmkml
>>>
>>>
>>> On Fri, 21 May 2010, rmkml wrote:
>>>
>>>> Hi,
>>>> I have a small pb with this sig and joigned (dns/udp) pcap file without
>>>> alert
>>>> firing:
>>>> alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00
>>>> 00
>>>> 00|"; offset:3; depth:4; classtype:bad-unknown; sid:9199437; rev:1;)
>>>> simplified tcpdump hex output (on joigned pcap file):
>>>> 0x0000: 4500 0028 0000 4000 3411 5152 c202 2809
>>>> 0x0010: 0a32 0136 0035 e6e6 0014 1a16 6098 a888
>>>> 0x0020: 0000 0000 0000 0000 0000 0000 0000
>>>> ok udp payload start at 0x1c, on my sig, offset:3 start at 0x1f, but
>>>> depth:4
>>>> allow me 0x1f:88 + 0x20:00 + 0x21: 00 + 0x22:00.
>>>> Anyone confirm this small pb please?
>>>> Tested on suricata v0.9.0 and git on date 20 may 2010
>>>> (b629b7c5c1e2ad6c91b97b6708ad9ddc6a674502).
>>>>
>>>> and of course, this sig work:
>>>> alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00
>>>> 00
>>>> 00|"; offset:4; depth:3; classtype:bad-unknown; sid:9199437; rev:1;)
>>>> Regards
>>>> Rmkml
>>>
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>
More information about the Oisf-devel
mailing list