[Oisf-devel] FN with suricata 121 and POP3 reply question

[Peter Manev]

On Mon, Jan 23, 2012 at 12:36 AM, rmkml <rmkml at yahoo.fr> wrote:

> Hi,
> Suricata not fire with this signature and joigned pcap file:
>  alert tcp any 110 -> any any (msg:"pop3 suricata reply";
> flow:to_client,established; content:"-ERR"; nocase; depth:4; offset:0;
> classtype:misc-attack; sid:9116511; rev:1;)
>
> but fire with this signature: (only changed depth)
>  alert tcp any 110 -> any any (msg:"pop3 suricata reply";
> flow:to_client,established; content:"-ERR"; nocase; depth:53; offset:0;
> classtype:misc-attack; sid:9116511; rev:1;)
>
> Im curious why first signature not fire ?
> If anyone confirm FN, Im open a new ticket on redmine.
> Of course, snort fire with two signatures.
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>



Hi,

I can confirm that.
Could you please open a ticket for that too.
some additional info:

the packet in question is packet number 8 (if you open it with wireshark)
If you  read just that packet , with that rule -

alert tcp any 110 -> any any (msg:"pop3 suricata reply"; content:"-ERR";
depth:4; offset:0; classtype:misc-attack; sid:9116511; rev:1;)

flow:to_client,established; - is missing, naturally, because we read only
one pkt - it does fire.
so it seams that somehow when it reads the whole stream it does not catch
it.....

with the following rule and the whole pcap :
alert tcp any 110 -> any any (msg:"pop3 suricata reply";
flow:to_client,established; content:"-ERR"; nocase; depth:54; offset:0;
classtype:misc-attack; sid:9116511; rev:1;)

it starts to fire an alert only when "depth" equals 53 and up.


Thanks

-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120123/90594a30/attachment-0002.html>