[Oisf-devel] FP with byte_jump and content within on suricata v121
Anoop Saldanha
poonaatsoc at gmail.com
Thu Jan 26 15:46:49 UTC 2012
On Thu, Jan 26, 2012 at 2:46 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
> Maybe I need to drink, but before, Im submit this FP, joigned snmp pcap file
> and this very simply signature:
> alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6;
> content:"|01|"; within:1; distance:3; classtype:attempted-recon;
> sid:9110892; rev:1;)
> Suricata v1.2.1 fire (it's wrong), but why ??
>
> udp payload (on extracted pcap file):
> 30 4D 02 01 00 04 06 p u b l i c A0 40 02 03 0A 01 9F
> ...
>
> Of course, snort not fire. Another sig for snort this time on same pcap:
> alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6;
> content:"|03|"; within:1; distance:3; classtype:attempted-recon;
> sid:9110893; rev:1;)
> snort fire! (it's true)
>
> Anyone test/confirm please? if yes I open a new redmine ticket, if not Im go
> to drink!
> Happy detect.
> Rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Hey rmkml,
Yes, it's a bug in our within/distance handling. You can open a ticket.
--
Anoop Saldanha
More information about the Oisf-devel
mailing list