[Oisf-devel] negative depth and offset:0 fire ?

Anoop Saldanha anoopsaldanha at gmail.com
Sun Mar 10 06:31:53 UTC 2013


On Sun, Mar 10, 2013 at 3:40 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> Im check Suricata and Im curious with this "special" sig:
>
> alert tcp any any -> any any (msg:"test sid"; flow:to_server,established;
> content:"LIST"; depth:-4; offset:0; classtype:suspicious-login; sid:1;
> rev:1;)
>
> and Suricata two times fire:
>
> 03/03/2013-11:55:26.337310  [**] [1:1:1] test sid [**] [Classification: An
> attempted login using a suspicious username was detected] [Priority: 2]
> {TCP} 192.168.1.2:58129 -> a.b.c.d:21
> 03/03/2013-11:55:34.881652  [**] [1:1:1] test sid [**] [Classification: An
> attempted login using a suspicious username was detected] [Priority: 2]
> {TCP} 192.168.1.2:58129 -> a.b.c.d:21
>
> Ok my pcap start with "LIST" but negative depth is not possible ?
>

Can you open a ticket?

-- 
Anoop Saldanha



More information about the Oisf-devel mailing list