Project

General

Profile

Actions
Copy link

Bug #1136

closed

negated app-layer-protocol FP on multi-TX flows

Added by Victor Julien about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
2.0.1rc1
Affected Versions:
Effort:
Difficulty:
Label:

Description

When a negated app-layer-protocol is inspected against a multi tx protocol, it FP's on new TX's.

A rule like:

alert udp .... (app-layer-protocol:!dns; ...)

will alert on DNS traffic, even though we properly detected the protocol.

Actions
Copy link
 #1

Updated by Victor Julien about 10 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF