[Oisf-users] upgrade to suricata 4.1.0 seeing false positives
Andreas Herz
andi at geekosphere.org
Tue Jan 8 20:41:47 UTC 2019
Hi Charles,
On 07/01/19 at 15:57, Charles Dillard wrote:
>
> In Suricata 4.1.0 we noticed that under certain conditions false
> positive alerts are firing that should not be. In short rules looking
> for HTTP packets are firing on ICMP data. It appears that the issue
> occurs on rules with http content modifiers where another rule in the
> ruleset uses an alert ip prefix and any content match. The packets
> must include an HTTP session followed by ICMP type packets (not that
> the rule should not match on the http session as the pcre does not
> match). I’ve also tested on suricata 4.1.2 and found that this issue
> is there as well. I’m not sure when the issue was introduced.
>
could you reproduce it with an example pcap or one that you can share
with us?
Might be also good to add this on our redmine tracker. With a pcap it's
easier for us to test and see if we can find the issue in detail.
Greetings
--
Andreas Herz
More information about the Oisf-users
mailing list