[Oisf-devel] FN with suricata 121 and POP3 reply question
rmkml
rmkml at yahoo.fr
Mon Jan 23 21:08:13 UTC 2012
Thx you again Peter,
Opened redmine ticket #404.
Regards
Rmkml
On Mon, 23 Jan 2012, Peter Manev wrote:
> On Mon, Jan 23, 2012 at 12:36 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
> Suricata not fire with this signature and joigned pcap file:
> alert tcp any 110 -> any any (msg:"pop3 suricata reply"; flow:to_client,established; content:"-ERR"; nocase; depth:4; offset:0; classtype:misc-attack; sid:9116511; rev:1;)
>
> but fire with this signature: (only changed depth)
> alert tcp any 110 -> any any (msg:"pop3 suricata reply"; flow:to_client,established; content:"-ERR"; nocase; depth:53; offset:0; classtype:misc-attack; sid:9116511; rev:1;)
>
> Im curious why first signature not fire ?
> If anyone confirm FN, Im open a new ticket on redmine.
> Of course, snort fire with two signatures.
> Regards
> Rmkml
>
> http://twitter.com/rmkml
>
>
> Hi,
>
> I can confirm that.
> Could you please open a ticket for that too.
> some additional info:
>
> the packet in question is packet number 8 (if you open it with wireshark)
> If you read just that packet , with that rule -
>
> alert tcp any 110 -> any any (msg:"pop3 suricata reply"; content:"-ERR"; depth:4; offset:0; classtype:misc-attack; sid:9116511; rev:1;)
>
> flow:to_client,established; - is missing, naturally, because we read only one pkt - it does fire.
> so it seams that somehow when it reads the whole stream it does not catch it.....
>
> with the following rule and the whole pcap :
> alert tcp any 110 -> any any (msg:"pop3 suricata reply"; flow:to_client,established; content:"-ERR"; nocase; depth:54; offset:0; classtype:misc-attack; sid:9116511; rev:1;)
>
> it starts to fire an alert only when "depth" equals 53 and up.
>
>
> Thanks
>
> --
> Peter Manev
>
>
More information about the Oisf-devel
mailing list