[Oisf-devel] FN on sig contains ip proto negate please
rmkml
rmkml at yahoo.fr
Tue Oct 4 20:57:49 UTC 2011
Hi,
Anyone check this FN please?:
alert ip any any -> any any (msg:"test ip proto 1"; ip_proto:219; classtype:non-standard-protocol; sid:999991; rev:1;)
Joigned pcap file: ok suricata v105 fire.
ok next sig contains ip proto negate:
alert ip any any -> any any (msg:"test ip proto 2"; ip_proto:!1; classtype:non-standard-protocol; sid:999992; rev:1;)
on this: suricata v105 not fire (of course, snort fire).
if you confirm, Im open a new ticket on redmine.
Regards
Rmkml
http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_ipproto219_scan.pcap
Type: application/octet-stream
Size: 74 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20111004/98e1f826/attachment.obj>
More information about the Oisf-devel
mailing list