[Oisf-users] Issue with negated isdataat?

Harley H bobb.harley at gmail.com
Thu Apr 20 15:25:18 UTC 2017


Hello,
 I'm noticing a potential issue with a negated isdataat check. I'm testing
the following four rules against the pcap linked below:
alert tcp any any -> any any (msg: "It's Alive!!!"; content: "Here";
isdataat: !114; sid: 1102010; rev: 1;)
alert tcp any any -> any any (msg: "It's Alive!!!"; content: "Here";
isdataat: 114; sid: 1102011; rev: 1;)
alert tcp any any -> any any (msg: "It's Alive!!!"; content: "Here";
isdataat: !113; sid: 1102012; rev: 1;)
alert tcp any any -> any any (msg: "It's Alive!!!"; content: "Here";
isdataat: 113; sid: 1102013; rev: 1;)

The packet simply contains the following 114 byte string:
"Here is a 114 byte packet to test how a negated isdataat checks works in
Suricata. Seems something may be amiss..."

I'd expect rules 1102010 and 1102013 to alert, and that is what happens in
Snort. In Suricata, only 1102012 and 1102013 cause an alert. I'm using
Suricata 3.2.1.

PCAP:
https://packettotal.com/cgi-bin/view-analysis.cgi?id=438c8f1a3041b5908a20bf3e7e8e3063

Has anyone else noticed this or am I misunderstanding something?

-Harley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170420/8368f1ef/attachment.html>


More information about the Oisf-users mailing list