[Oisf-devel] Suricata 4.1rc1 and rule compatibility question
jason taylor
jtfas90 at gmail.com
Tue Jul 31 00:23:07 UTC 2018
Hi All,
We are doing some testing with 4.1rc1 and are seeing what appear to be
false positives on the following rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:]
(msg:"OS-WINDOWS DCERPC NCACN-IP-TCP srvsvc NetrpPathCanonicalize path
canonicalization stack overflow attempt"; flow:to_server,established;
dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:31,32;
dce_stub_data;
pcre:"/^(\x00\x00\x00\x00|.{4}(\x00\x00\x00\x00|.{12}))/s";
byte_jump:4,-4,multiplier 2,relative,align,dce;
pcre:"/\x00\.\x00\.\x00[\x2f\x5c]/R"; metadata:policy balanced-ips
drop, policy connectivity-ips drop, policy max-detect-ips drop, policy
security-ips drop, service netbios-ssn;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-067;
classtype:trojan-activity; sid:14782; rev:21;)
The traffic we are seeing the false positive against is http traffic
but is firing this rule (pcap in tarball).
Is this rule just incompatible with suri or is there something else
amiss here?
We ran the sample pcap against 4.0.5 and do not see the false positive
alert.
We see the false positive alert against 4.1rc1 and the latest master
branch.
Let me know if additional details are needed.
TIA,
JT
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dcerpcmisfire.tar.gz
Type: application/x-compressed-tar
Size: 20525 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20180730/e51f9ca1/attachment-0001.bin>
More information about the Oisf-devel
mailing list