[Oisf-devel] FP with byte_jump and content within on suricata v121
rmkml
rmkml at yahoo.fr
Tue Jan 31 22:47:12 UTC 2012
Thx you Anoop and Peter,
Opened redmine ticket #411.
Regards
Rmkml
On Thu, 26 Jan 2012, Anoop Saldanha wrote:
> On Thu, Jan 26, 2012 at 2:46 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi,
>> Maybe I need to drink, but before, Im submit this FP, joigned snmp pcap file
>> and this very simply signature:
>> alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6;
>> content:"|01|"; within:1; distance:3; classtype:attempted-recon;
>> sid:9110892; rev:1;)
>> Suricata v1.2.1 fire (it's wrong), but why ??
>>
>> udp payload (on extracted pcap file):
>> 30 4D 02 01 00 04 06 p u b l i c A0 40 02 03 0A 01 9F
>> ...
>>
>> Of course, snort not fire. Another sig for snort this time on same pcap:
>> alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6;
>> content:"|03|"; within:1; distance:3; classtype:attempted-recon;
>> sid:9110893; rev:1;)
>> snort fire! (it's true)
>>
>> Anyone test/confirm please? if yes I open a new redmine ticket, if not Im go
>> to drink!
>> Happy detect.
>> Rmkml
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> Hey rmkml,
>
> Yes, it's a bug in our within/distance handling. You can open a ticket.
>
> --
> Anoop Saldanha
>
More information about the Oisf-devel
mailing list