[Oisf-devel] FN on suricata 103/11beta2 - ftp format string

Victor Julien victor at inliniac.net
Sun Apr 17 14:28:32 UTC 2011 

Can you try it with the "stream.inline" option set to "yes"? I think it
might be related to the stream in the pcap not being shut down at all in
combination with doing reassembled inspection.

On 04/17/2011 02:16 PM, Anoop Saldanha wrote:
> On Sun, Apr 17, 2011 at 12:34 PM, rmkml <rmkml at free.fr> wrote:
> 
>> Hi Anoop,
>> Thx your for help and debug.
>> For first sig, warn if you copy&paste text to your sigs file, because,
>> maybe include not space but no ascii char...
>> suricata alert:
>>  [32349] 17/4/2011 -- 08:57:40 - (detect.c:499) <Error> (DetectLoadSigFile)
>> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
>> tcp any any -> any 21 (msg:"FTP...
>> Regards
>> Rmkml
>>
>>
>>
> I ran it with the sig loading.
> 
> 
>>
>> On Sun, 17 Apr 2011, Anoop Saldanha wrote:
>>
>> From what I see, yeah a FN.  The first sigs not firing as well for me.
>> This is more down to the - alproto detection + stream mpm + no stateful mpm
>> thing.  A stateful mpm should fix this issue.  A bug in redmine should be
>> better to keep us reminded on implementing it, although we have it in our
>> feature list.
>> --
>> Regards,
>> Anoop Saldanha
>>
>>
>>  On Sun, Apr 17, 2011 at 5:08 AM, rmkml <rmkml at free.fr> wrote:
>>>      Hi,
>>>      First, Great Congratulations for new Suricata 1.0.3/1.1beta2 release!
>>>
>>>      Second, I have a small pb with joigned pcap file.
>>>
>>>      ok first sig working:
>>>       alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd
>>> attempt"; flow:to_server,established;
>>>       content:"%"; depth:4; offset:0; classtype:misc-activity; sid:945011;
>>> rev:1;)
>>>
>>>      ok second sig NOT working (but work with snort):
>>>       alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd
>>> attempt"; flow:to_server,established;
>>>       content:"%"; depth:4; offset:0; content:"%"; within:2; distance:1;
>>> classtype:misc-activity; sid:945012; rev:1;)
>>>
>>>      stream:
>>>       checksum_validation: no # or yes have same pb for me
>>>
>>>      Thx you again for your time for checking my test.
>>>      If you confirm, Im open a new ticket on suricata redmine.
>>>
>>>      Regards
>>>      Rmkml
>>
>>
> 
> 
> 
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list