[Oisf-devel] suricata content+depth+offset pb (FalseNegative)

rmkml rmkml at free.fr
Thu Apr 29 10:54:01 UTC 2010


Hi,
I have downloaded latest suricata git version (v0.8.2 release have same pb), look my simply signature/rule:
  alert tcp any any -> any 515 (msg:"detect IFS"; flow:to_server,established; content:"${IFS}"; depth:50; offset:0; classtype:attempted-dos; sid:900091; rev:1; )
Joigned pcap file (old lpd exploit) demonstrate the pb.
I have removed offset keyword on my signature/rule and alert firing!:
If anyone have a idea please?
If you confirm pb, I create a new ticket on redmine.
Regards
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit_hpux_lpd_exec.pcap
Type: application/cap
Size: 17508 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100429/77a46a2b/attachment.bin>


More information about the Oisf-devel mailing list