[Oisf-devel] FN on suricata 103/11beta2 - ftp format string
rmkml
rmkml at free.fr
Sun Apr 17 07:04:24 UTC 2011
Hi Anoop,
Thx your for help and debug.
For first sig, warn if you copy&paste text to your sigs file, because, maybe include not space but no ascii char...
suricata alert:
[32349] 17/4/2011 -- 08:57:40 - (detect.c:499) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp any any -> any 21 (msg:"FTP...
Regards
Rmkml
On Sun, 17 Apr 2011, Anoop Saldanha wrote:
>From what I see, yeah a FN. The first sigs not firing as well for me. This is more down to the - alproto detection + stream mpm + no stateful mpm thing. A stateful mpm should fix this issue. A bug in redmine should
be better to keep us reminded on implementing it, although we have it in our feature list.
--
Regards,
Anoop Saldanha
> On Sun, Apr 17, 2011 at 5:08 AM, rmkml <rmkml at free.fr> wrote:
> Hi,
> First, Great Congratulations for new Suricata 1.0.3/1.1beta2 release!
>
> Second, I have a small pb with joigned pcap file.
>
> ok first sig working:
> alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
> content:"%"; depth:4; offset:0; classtype:misc-activity; sid:945011; rev:1;)
>
> ok second sig NOT working (but work with snort):
> alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
> content:"%"; depth:4; offset:0; content:"%"; within:2; distance:1; classtype:misc-activity; sid:945012; rev:1;)
>
> stream:
> checksum_validation: no # or yes have same pb for me
>
> Thx you again for your time for checking my test.
> If you confirm, Im open a new ticket on suricata redmine.
>
> Regards
> Rmkml
More information about the Oisf-devel
mailing list