Bug #134: suricata content+depth+offset pb (FalseNegative) - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #134

closed

suricata content+depth+offset pb (FalseNegative)

Added by rmkml rmkml about 14 years ago. Updated about 14 years ago.

Status:

Closed

Priority:

High

Assignee:

Gurvinder Singh

Target version:

0.9.0

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,
I have downloaded latest suricata git version (v0.8.2 release have same pb), look my simply signature/rule:
alert tcp any any -> any 515 (msg:"detect IFS"; flow:to_server,established; content:"${IFS}"; depth:50; offset:0; classtype:attempted-dos; sid:900091; rev:1; )
Joigned pcap file (old lpd exploit) demonstrate the pb.
I have removed offset keyword on my signature/rule and alert firing!:
If anyone have a idea please?
Regards
Rmkml

Files

Download all files

exploit_hpux_lpd_exec.pcap (17.1 KB) exploit_hpux_lpd_exec.pcap		rmkml rmkml, 04/29/2010 08:02 AM
0001-fixed-the-incorrect-depth-update-incase-of-offset-is.patch (1.66 KB) 0001-fixed-the-incorrect-depth-update-incase-of-offset-is.patch		Gurvinder Singh, 05/02/2010 12:13 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #134

suricata content+depth+offset pb (FalseNegative)

Updated by Victor Julien about 14 years ago

Updated by Gurvinder Singh about 14 years ago

Updated by Victor Julien about 14 years ago