[Oisf-devel] FN with suricata git version today ?
rmkml
rmkml at yahoo.fr
Tue Apr 24 22:55:10 UTC 2012
Hi,
ok Im restart my Suricata testing, Im found FN results:
1) ok use only these two sigs:
alert tcp any 80 -> any any (msg:"404"; flow:to_client,established; content:"404"; http_stat_code; file_data;
content:!"<script"; nocase; distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
alert tcp any $HTTP_PORTS -> any any (msg:"file_data"; flow:to_server,established; file_data; content:"abc"; nocase; distance:0;
classtype:web-application-attack; sid:44333222; rev:1;)
2) and tested with wget / joigned pcap file:
wget http://www.openinfosecfoundation.org/xyz.php
2012-04-24 23:54:48 ERREUR 404: Not Found.
3a) results: Suricata v1.3git24apr: no alerts
3b) results: Suricata v1.2.1 : fire/alert
4) ok change on sig 44333222 : $HTTP_PORTS -> 80
-> results: all Suricata fire/alert
5) ok another change on sig 44333221 : remove 'file_data; content:!"<script"; nocase; distance:0;'
-> results: all Suricata fire/alert
6) ok another change on sig 44333222 : comment/disable this sig
-> results: all Suricata fire/alert
Checksum verif are disabled.
Snort always fire.
Suricata don't have sig 44333221 or 44333222 errors!
Im curious if someone reproduce (3a) my FN please? if yes Im open a new redmine ticket.
Regards
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 404.pcap
Type: application/octet-stream
Size: 1415 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120425/79647aa4/attachment.obj>
More information about the Oisf-devel
mailing list