[Oisf-devel] small pb (FN) on suricata with content and offset+depth
rmkml
rmkml at free.fr
Fri May 21 10:27:03 UTC 2010
and if anyone confirm, Im open a ticket...
Rmkml
On Fri, 21 May 2010, rmkml wrote:
> Hi,
> I have a small pb with this sig and joigned (dns/udp) pcap file without alert
> firing:
> alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00 00
> 00|"; offset:3; depth:4; classtype:bad-unknown; sid:9199437; rev:1;)
> simplified tcpdump hex output (on joigned pcap file):
> 0x0000: 4500 0028 0000 4000 3411 5152 c202 2809
> 0x0010: 0a32 0136 0035 e6e6 0014 1a16 6098 a888
> 0x0020: 0000 0000 0000 0000 0000 0000 0000
> ok udp payload start at 0x1c, on my sig, offset:3 start at 0x1f, but depth:4
> allow me 0x1f:88 + 0x20:00 + 0x21: 00 + 0x22:00.
> Anyone confirm this small pb please?
> Tested on suricata v0.9.0 and git on date 20 may 2010
> (b629b7c5c1e2ad6c91b97b6708ad9ddc6a674502).
>
> and of course, this sig work:
> alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00 00
> 00|"; offset:4; depth:3; classtype:bad-unknown; sid:9199437; rev:1;)
> Regards
> Rmkml
More information about the Oisf-devel
mailing list