[Oisf-devel] FN on sig contains ip proto negate please
Peter Manev
petermanev at gmail.com
Wed Oct 5 15:46:06 UTC 2011
I can confirm the issue as described for Sur 1.0.5 and Git.
The rule loads in both cases.
Thank you
On Tue, Oct 4, 2011 at 10:57 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
> Anyone check this FN please?:
> alert ip any any -> any any (msg:"test ip proto 1"; ip_proto:219;
> classtype:non-standard-**protocol; sid:999991; rev:1;)
> Joigned pcap file: ok suricata v105 fire.
>
> ok next sig contains ip proto negate:
> alert ip any any -> any any (msg:"test ip proto 2"; ip_proto:!1;
> classtype:non-standard-**protocol; sid:999992; rev:1;)
> on this: suricata v105 not fire (of course, snort fire).
>
> if you confirm, Im open a new ticket on redmine.
> Regards
> Rmkml
> http://twitter.com/rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
--
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20111005/282181b8/attachment-0002.html>
More information about the Oisf-devel
mailing list