[Oisf-devel] FN with suricata git version today ?

rmkml rmkml at yahoo.fr
Tue Apr 24 22:55:10 UTC 2012


ok Im restart my Suricata testing, Im found FN results:

1) ok use only these two sigs:
alert tcp any 80 -> any any (msg:"404"; flow:to_client,established; content:"404"; http_stat_code; file_data; 
content:!"<script"; nocase; distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
alert tcp any $HTTP_PORTS -> any any (msg:"file_data"; flow:to_server,established; file_data; content:"abc"; nocase; distance:0; 
classtype:web-application-attack; sid:44333222; rev:1;)

2) and tested with wget / joigned pcap file:
  wget http://www.openinfosecfoundation.org/xyz.php
  2012-04-24 23:54:48 ERREUR 404: Not Found.

3a) results: Suricata v1.3git24apr: no alerts
3b) results: Suricata v1.2.1 : fire/alert

4) ok change on sig 44333222 : $HTTP_PORTS  ->  80
-> results: all Suricata fire/alert

5) ok another change on sig 44333221 : remove 'file_data; content:!"<script"; nocase; distance:0;'
-> results: all Suricata fire/alert

6) ok another change on sig 44333222 : comment/disable this sig
-> results: all Suricata fire/alert

Checksum verif are disabled.
Snort always fire.
Suricata don't have sig 44333221 or 44333222 errors!

Im curious if someone reproduce (3a) my FN please? if yes Im open a new redmine ticket.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 404.pcap
Type: application/octet-stream
Size: 1415 bytes
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120425/79647aa4/attachment.obj>

More information about the Oisf-devel mailing list