[Oisf-devel] request negate ip_proto cause FP on suricata 121
Peter Manev
petermanev at gmail.com
Mon Jan 23 19:27:32 UTC 2012
Hi,
Yes, I can confirm that.
Would you please open a ticket on redmine for that.
thanks
On Sun, Jan 22, 2012 at 1:27 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
> Im test new suricata v1.2.1 and I have a FP please.
>
> ok look very simply signature:
> alert ip any any -> any any (msg:"test suricata negate ip_proto";
> ip_proto:!103; classtype:non-standard-**protocol; sid:9215831; rev:1;)
>
> with joigned pcap file, suricata fire: (no error on suricata output)
> 11/18/2011-10:07:10.366672 [**] [1:9215831:1] test suricata negate
> ip_proto [**] [Classification: Detection of a non-standard protocol or
> event] [Priority: 2] {PIM} 172.28.127.254:0 -> 224.0.0.13:0
>
> Anyone confirm please? if yes Im open a new redmine ticket.
> Of course, snort not fire.
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
--
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120123/5e6c2c22/attachment-0002.html>
More information about the Oisf-devel
mailing list