[Oisf-devel] request negate ip_proto cause FP on suricata 121
rmkml
rmkml at yahoo.fr
Sun Jan 22 12:27:26 UTC 2012
Hi,
Im test new suricata v1.2.1 and I have a FP please.
ok look very simply signature:
alert ip any any -> any any (msg:"test suricata negate ip_proto"; ip_proto:!103; classtype:non-standard-protocol; sid:9215831; rev:1;)
with joigned pcap file, suricata fire: (no error on suricata output)
11/18/2011-10:07:10.366672 [**] [1:9215831:1] test suricata negate ip_proto [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {PIM} 172.28.127.254:0 -> 224.0.0.13:0
Anyone confirm please? if yes Im open a new redmine ticket.
Of course, snort not fire.
Regards
Rmkml
http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_pim_multicast_suricata.pcap
Type: application/octet-stream
Size: 108 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120122/6b92a580/attachment.obj>
More information about the Oisf-devel
mailing list