[Oisf-devel] request negate ip_proto cause FP on suricata 121
rmkml
rmkml at yahoo.fr
Mon Jan 23 20:58:31 UTC 2012
Thx you Peter,
Opened ticket #403 for this.
Regards
Rmkml
On Mon, 23 Jan 2012, Peter Manev wrote:
> Hi,
> Yes, I can confirm that.
> Would you please open a ticket on redmine for that.
>
> thanks
>
>
> On Sun, Jan 22, 2012 at 1:27 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
> Im test new suricata v1.2.1 and I have a FP please.
>
> ok look very simply signature:
> alert ip any any -> any any (msg:"test suricata negate ip_proto"; ip_proto:!103; classtype:non-standard-protocol; sid:9215831; rev:1;)
>
> with joigned pcap file, suricata fire: (no error on suricata output)
> 11/18/2011-10:07:10.366672 [**] [1:9215831:1] test suricata negate ip_proto [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {PIM} 172.28.127.254:0 -> 224.0.0.13:0
>
> Anyone confirm please? if yes Im open a new redmine ticket.
> Of course, snort not fire.
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> _______________________________________________
More information about the Oisf-devel
mailing list