[Oisf-devel] negative depth and offset:0 fire ?

rmkml rmkml at yahoo.fr
Sat Mar 9 22:10:00 UTC 2013


Hi,

Im check Suricata and Im curious with this "special" sig:

alert tcp any any -> any any (msg:"test sid"; flow:to_server,established; content:"LIST"; depth:-4; offset:0; classtype:suspicious-login; sid:1; rev:1;)

and Suricata two times fire:

03/03/2013-11:55:26.337310  [**] [1:1:1] test sid [**] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 192.168.1.2:58129 -> a.b.c.d:21
03/03/2013-11:55:34.881652  [**] [1:1:1] test sid [**] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 192.168.1.2:58129 -> a.b.c.d:21

Ok my pcap start with "LIST" but negative depth is not possible ?

Regards
Rmkml


More information about the Oisf-devel mailing list