[Oisf-users] upgrade to suricata 4.1.0 seeing false positives

Andreas Herz andi at geekosphere.org
Tue Jan 8 20:41:47 UTC 2019

Hi Charles,

On 07/01/19 at 15:57, Charles Dillard wrote:
> In Suricata 4.1.0 we noticed that under certain conditions false
> positive alerts are firing that should not be.  In short rules looking
> for HTTP packets are firing on ICMP data.   It appears that the issue
> occurs on rules with http content modifiers where another rule in the
> ruleset uses an alert ip prefix and any content match.  The packets
> must include an HTTP session followed by ICMP type packets (not that
> the rule should not match on the http session as the pcre does not
> match).  I’ve also tested on suricata 4.1.2 and found that this issue
> is there as well.  I’m not sure when the issue was introduced.

could you reproduce it with an example pcap or one that you can share
with us?

Might be also good to add this on our redmine tracker. With a pcap it's
easier for us to test and see if we can find the issue in detail.


Andreas Herz

More information about the Oisf-users mailing list