[Oisf-devel] FN with suricata git version today ?
Victor Julien
victor at inliniac.net
Wed Apr 25 10:29:43 UTC 2012
On 04/25/2012 12:55 AM, rmkml wrote:
> Hi,
>
> ok Im restart my Suricata testing, Im found FN results:
>
> 1) ok use only these two sigs:
> alert tcp any 80 -> any any (msg:"404"; flow:to_client,established;
> content:"404"; http_stat_code; file_data; content:!"<script"; nocase;
> distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
> alert tcp any $HTTP_PORTS -> any any (msg:"file_data";
> flow:to_server,established; file_data; content:"abc"; nocase;
> distance:0; classtype:web-application-attack; sid:44333222; rev:1;)
>
> 2) and tested with wget / joigned pcap file:
> wget http://www.openinfosecfoundation.org/xyz.php
> 2012-04-24 23:54:48 ERREUR 404: Not Found.
>
> 3a) results: Suricata v1.3git24apr: no alerts
> 3b) results: Suricata v1.2.1 : fire/alert
>
> 4) ok change on sig 44333222 : $HTTP_PORTS -> 80
> -> results: all Suricata fire/alert
>
> 5) ok another change on sig 44333221 : remove 'file_data;
> content:!"<script"; nocase; distance:0;'
> -> results: all Suricata fire/alert
>
> 6) ok another change on sig 44333222 : comment/disable this sig
> -> results: all Suricata fire/alert
>
> Checksum verif are disabled.
> Snort always fire.
> Suricata don't have sig 44333221 or 44333222 errors!
>
> Im curious if someone reproduce (3a) my FN please? if yes Im open a new
> redmine ticket.
Can you open a new ticket?
Thanks,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list