[Oisf-devel] FN on suricata 103/11beta2 - ftp format string

Anoop Saldanha poonaatsoc at gmail.com
Sun Apr 17 12:16:13 UTC 2011 

On Sun, Apr 17, 2011 at 12:34 PM, rmkml <rmkml at free.fr> wrote:

> Hi Anoop,
> Thx your for help and debug.
> For first sig, warn if you copy&paste text to your sigs file, because,
> maybe include not space but no ascii char...
> suricata alert:
>  [32349] 17/4/2011 -- 08:57:40 - (detect.c:499) <Error> (DetectLoadSigFile)
> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
> tcp any any -> any 21 (msg:"FTP...
> Regards
> Rmkml
>
>
>
I ran it with the sig loading.


>
> On Sun, 17 Apr 2011, Anoop Saldanha wrote:
>
> From what I see, yeah a FN.  The first sigs not firing as well for me.
> This is more down to the - alproto detection + stream mpm + no stateful mpm
> thing.  A stateful mpm should fix this issue.  A bug in redmine should be
> better to keep us reminded on implementing it, although we have it in our
> feature list.
> --
> Regards,
> Anoop Saldanha
>
>
>  On Sun, Apr 17, 2011 at 5:08 AM, rmkml <rmkml at free.fr> wrote:
>>      Hi,
>>      First, Great Congratulations for new Suricata 1.0.3/1.1beta2 release!
>>
>>      Second, I have a small pb with joigned pcap file.
>>
>>      ok first sig working:
>>       alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd
>> attempt"; flow:to_server,established;
>>       content:"%"; depth:4; offset:0; classtype:misc-activity; sid:945011;
>> rev:1;)
>>
>>      ok second sig NOT working (but work with snort):
>>       alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd
>> attempt"; flow:to_server,established;
>>       content:"%"; depth:4; offset:0; content:"%"; within:2; distance:1;
>> classtype:misc-activity; sid:945012; rev:1;)
>>
>>      stream:
>>       checksum_validation: no # or yes have same pb for me
>>
>>      Thx you again for your time for checking my test.
>>      If you confirm, Im open a new ticket on suricata redmine.
>>
>>      Regards
>>      Rmkml
>
>


-- 
Regards,
Anoop Saldanha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110417/eacccf79/attachment-0002.html>

More information about the Oisf-devel mailing list