[Oisf-devel] FN with suricata 121 and POP3 reply question
rmkml
rmkml at yahoo.fr
Sun Jan 22 23:36:08 UTC 2012
Hi,
Suricata not fire with this signature and joigned pcap file:
alert tcp any 110 -> any any (msg:"pop3 suricata reply"; flow:to_client,established; content:"-ERR"; nocase; depth:4; offset:0; classtype:misc-attack; sid:9116511; rev:1;)
but fire with this signature: (only changed depth)
alert tcp any 110 -> any any (msg:"pop3 suricata reply"; flow:to_client,established; content:"-ERR"; nocase; depth:53; offset:0; classtype:misc-attack; sid:9116511; rev:1;)
Im curious why first signature not fire ?
If anyone confirm FN, Im open a new ticket on redmine.
Of course, snort fire with two signatures.
Regards
Rmkml
http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_pop3_reply_suricata.pcap
Type: application/octet-stream
Size: 1101 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120123/407c4a0c/attachment.obj>
More information about the Oisf-devel
mailing list