[Oisf-devel] FN with suricata git version today ?

[rmkml]

Hi Victor,
ok opened #457 redmine ticket.
Best Regards
Rmkml


On Wed, 25 Apr 2012, Victor Julien wrote:

> On 04/25/2012 12:55 AM, rmkml wrote:
>> Hi,
>>
>> ok Im restart my Suricata testing, Im found FN results:
>>
>> 1) ok use only these two sigs:
>> alert tcp any 80 -> any any (msg:"404"; flow:to_client,established;
>> content:"404"; http_stat_code; file_data; content:!"<script"; nocase;
>> distance:0; classtype:attempted-admin; sid:44333221; rev:1; )
>> alert tcp any $HTTP_PORTS -> any any (msg:"file_data";
>> flow:to_server,established; file_data; content:"abc"; nocase;
>> distance:0; classtype:web-application-attack; sid:44333222; rev:1;)
>>
>> 2) and tested with wget / joigned pcap file:
>>  wget http://www.openinfosecfoundation.org/xyz.php
>>  2012-04-24 23:54:48 ERREUR 404: Not Found.
>>
>> 3a) results: Suricata v1.3git24apr: no alerts
>> 3b) results: Suricata v1.2.1 : fire/alert
>>
>> 4) ok change on sig 44333222 : $HTTP_PORTS  ->  80
>> -> results: all Suricata fire/alert
>>
>> 5) ok another change on sig 44333221 : remove 'file_data;
>> content:!"<script"; nocase; distance:0;'
>> -> results: all Suricata fire/alert
>>
>> 6) ok another change on sig 44333222 : comment/disable this sig
>> -> results: all Suricata fire/alert
>>
>> Checksum verif are disabled.
>> Snort always fire.
>> Suricata don't have sig 44333221 or 44333222 errors!
>>
>> Im curious if someone reproduce (3a) my FN please? if yes Im open a new
>> redmine ticket.
>
> Can you open a new ticket?
>
> Thanks,
> Victor
>
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>