[Oisf-devel] Suricata v0.8.0 and isdataat and relative option: unknown keyword

Will Metcalf william.metcalf at gmail.com
Mon Jan 4 21:54:01 UTC 2010


It looks like you are correct in that this is a valid use case.  I will file
a bug and look into how this should be handled.

Regards,

Will

On Sat, Jan 2, 2010 at 10:42 AM, rmkml <rmkml at free.fr> wrote:

> Hi,
> After small testing, I have a new small question with this signature:
>  alert tcp any any -> any any (msg:"test"; flow:to_server,established;
> uricontent:"test"; nocase; isdataat:96,relative; sid:987654321; rev:1; )
> If I start suricata:
>  ./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
> ...
> [15316] 2/1/2010 -- 21:30:39 - (detect.c:327) <Info> (SigLoadSignatures) --
> Loading rule file: test.rules
> DetectIsdataatSetup: Unknown previous keyword!
>
> ok this signature it's not good for production use (signature simplified
> for demonstrated isdataat error), but error it's not appear on snort,
> maybe it's a suricata bug?
> Regards
> Rmkml
> Crusoe-Researches.com
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100104/90c50912/attachment-0002.html>


More information about the Oisf-devel mailing list