[Oisf-devel] FP with byte_jump and content within on suricata v121

rmkml rmkml at yahoo.fr
Wed Jan 25 21:16:32 UTC 2012


Hi,
Maybe I need to drink, but before, Im submit this FP, joigned snmp pcap file and this very simply signature:
  alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|01|"; within:1; distance:3; classtype:attempted-recon; sid:9110892; rev:1;)
Suricata v1.2.1 fire (it's wrong), but why ??

udp payload (on extracted pcap file):
  30 4D 02 01 00 04 06 p u b l i c A0 40 02 03 0A 01 9F
  ...

Of course, snort not fire. Another sig for snort this time on same pcap:
  alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|03|"; within:1; distance:3; classtype:attempted-recon; sid:9110893; rev:1;)
snort fire! (it's true)

Anyone test/confirm please? if yes I open a new redmine ticket, if not Im go to drink!
Happy detect.
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_snmp_fp_suricata.pcap
Type: application/octet-stream
Size: 161 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120125/c51a2366/attachment.obj>


More information about the Oisf-devel mailing list