[Oisf-devel] Suricata 4.1rc1 and rule compatibility question
Victor Julien
lists at inliniac.net
Wed Aug 1 13:58:09 UTC 2018
On 31-07-18 02:23, jason taylor wrote:
> Hi All,
>
> We are doing some testing with 4.1rc1 and are seeing what appear to be
> false positives on the following rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:]
> (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path
> canonicalization stack overflow attempt"; flow:to_server,established;
> dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31,32;
> dce_stub_data;
> pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s";
> byte_jump:4,-4,multiplier 2,relative,align,dce;
> pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips
> drop, policy connectivity-ips drop, policy max-detect-ips drop, policy
> security-ips drop, service netbios-ssn;
> reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067;
> classtype:trojan-activity; sid:14782; rev:21;)
>
> The traffic we are seeing the false positive against is http traffic
> but is firing this rule (pcap in tarball).
>
> Is this rule just incompatible with suri or is there something else
> amiss here?
>
> We ran the sample pcap against 4.0.5 and do not see the false positive
> alert.
>
> We see the false positive alert against 4.1rc1 and the latest master
> branch.
>
> Let me know if additional details are needed.
I can reproduce it, thanks. Can you open a ticket in our redmine as well?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list