Hi,<br>Yes, I can confirm that.<br>Would you please open a ticket on redmine for that.<br><br>thanks<br><br><br><div class="gmail_quote">On Sun, Jan 22, 2012 at 1:27 PM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr">rmkml@yahoo.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
Im test new suricata v1.2.1 and I have a FP please.<br>
<br>
ok look very simply signature:<br>
 alert ip any any -> any any (msg:"test suricata negate ip_proto"; ip_proto:!103; classtype:non-standard-<u></u>protocol; sid:9215831; rev:1;)<br>
<br>
with joigned pcap file, suricata fire: (no error on suricata output)<br>
 11/18/2011-10:07:10.366672  [**] [1:9215831:1] test suricata negate ip_proto [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {PIM} <a href="http://172.28.127.254:0" target="_blank">172.28.127.254:0</a> -> <a href="http://224.0.0.13:0" target="_blank">224.0.0.13:0</a><br>

<br>
Anyone confirm please? if yes Im open a new redmine ticket.<br>
Of course, snort not fire.<br>
Regards<br>
Rmkml<br>
<br>
<a href="http://twitter.com/rmkml" target="_blank">http://twitter.com/rmkml</a><br>_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>