[Oisf-devel] FN on suricata 103/11beta2 - ftp format string
Anoop Saldanha
poonaatsoc at gmail.com
Sun Apr 17 06:36:11 UTC 2011
On Sun, Apr 17, 2011 at 5:08 AM, rmkml <rmkml at free.fr> wrote:
> Hi,
> First, Great Congratulations for new Suricata 1.0.3/1.1beta2 release!
>
> Second, I have a small pb with joigned pcap file.
>
> ok first sig working:
> alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt";
> flow:to_server,established;
> content:"%"; depth:4; offset:0; classtype:misc-activity; sid:945011;
> rev:1;)
>
> ok second sig NOT working (but work with snort):
> alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt";
> flow:to_server,established;
> content:"%"; depth:4; offset:0; content:"%"; within:2; distance:1;
> classtype:misc-activity; sid:945012; rev:1;)
>
> stream:
> checksum_validation: no # or yes have same pb for me
>
> Thx you again for your time for checking my test.
> If you confirm, Im open a new ticket on suricata redmine.
>
> Regards
> Rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
>From what I see, yeah a FN. The first sigs not firing as well for me. This
is more down to the - alproto detection + stream mpm + no stateful mpm
thing. A stateful mpm should fix this issue. A bug in redmine should be
better to keep us reminded on implementing it, although we have it in our
feature list.
--
Regards,
Anoop Saldanha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110417/e0779e23/attachment-0002.html>
More information about the Oisf-devel
mailing list