[Oisf-devel] FP with suricata yesterday git
rmkml
rmkml at free.fr
Sun Jun 6 09:20:47 UTC 2010
Hi,
Maybe Im find a regression between suricata v0.9.1 and yesterday git (79443b1991840930ded4b8f09ba6de7b000912d9)
If anyone confirm ? Im open a new ticket...
ok with this old sig, I have a FP with joigned my (anonymized) pcap file:
alert udp any any -> any 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; classtype:attempted-recon; sid:1948; rev:6;)
alert firing:
04/01/09-14:36:40.894688 [**] [1:1948:6] DNS zone transfer UDP [**] [Classification: ...] [Priority: 3] {1} 10.50.1.143:3 -> 142.27.128.1:3
Joigned pcap file contains 3 packets: first is dns A request, second is dns reply, third is icmp port (dns) unreach (FP hear).
It's not a fuzzing, it's "normal" dns trafic.
Snort not firing, maybe it's a new Suricata feature?
Regards
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatafpicmpudpdns5jun2010.pcap
Type: application/cap
Size: 348 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100606/37f0409f/attachment.bin>
More information about the Oisf-devel
mailing list