[Oisf-devel] two alerts for one content, why?
Anoop Saldanha
anoopsaldanha at gmail.com
Wed Jun 27 05:06:57 UTC 2012
On Wed, Jun 27, 2012 at 5:21 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> ok Im joigned a pcap file contains a ssh server Dropbear, but Im curious why
> Suricata fire two times ?
>
> # with this sig, suricata fire two times:
> alert tcp any 22 -> any any (msg:"dropbear detect 2";
> flow:to_client,established; content:"SSH-"; depth:4; offset:0;
> content:"dropbear_"; nocase; within:40; distance:0;
> classtype:attempted-admin; sid:990995; rev:1; )
>
> # with this sig, suricata fire one time:
> alert tcp any 22 -> any any (msg:"dropbear detect 1";
> flow:to_client,established; content:"dropbear_"; nocase;
> classtype:attempted-admin; sid:990994; rev:1; )
>
> Anyone replay this test please?
> If yes Im open a new redmine ticket.
> Of course, snort fire one time per sig.
> Tested suricata git at 24 jun.
>
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Haven't given it a run yet but I think it's because of depth/offset.
Suricata would first match on the packet and subsequently on the
stream as well.
This is because of a design decision we took, treating sigs with
offset/depth as both packet and stream sigs.
--
Anoop Saldanha
More information about the Oisf-devel
mailing list