[Oisf-devel] Suricata 4.1rc1 and rule compatibility question
jason taylor
jtfas90 at gmail.com
Wed Aug 1 14:29:00 UTC 2018
On Wed, 2018-08-01 at 15:58 +0200, Victor Julien wrote:
> On 31-07-18 02:23, jason taylor wrote:
> > Hi All,
> >
> > We are doing some testing with 4.1rc1 and are seeing what appear to
> > be
> > false positives on the following rule:
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:]
> > (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize
> > path
> > canonicalization stack overflow attempt";
> > flow:to_server,established;
> > dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31,32;
> > dce_stub_data;
> > pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s";
> > byte_jump:4,-4,multiplier 2,relative,align,dce;
> > pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips
> > drop, policy connectivity-ips drop, policy max-detect-ips drop,
> > policy
> > security-ips drop, service netbios-ssn;
> > reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-
> > 067;
> > classtype:trojan-activity; sid:14782; rev:21;)
> >
> > The traffic we are seeing the false positive against is http
> > traffic
> > but is firing this rule (pcap in tarball).
> >
> > Is this rule just incompatible with suri or is there something else
> > amiss here?
> >
> > We ran the sample pcap against 4.0.5 and do not see the false
> > positive
> > alert.
> >
> > We see the false positive alert against 4.1rc1 and the latest
> > master
> > branch.
> >
> > Let me know if additional details are needed.
>
> I can reproduce it, thanks. Can you open a ticket in our redmine as
> well?
>
Thanks!
https://redmine.openinfosecfoundation.org/issues/2559
JT
More information about the Oisf-devel
mailing list