Actions
Bug #134
closedsuricata content+depth+offset pb (FalseNegative)
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi,
I have downloaded latest suricata git version (v0.8.2 release have same pb), look my simply signature/rule:
alert tcp any any -> any 515 (msg:"detect IFS"; flow:to_server,established; content:"${IFS}"; depth:50; offset:0; classtype:attempted-dos; sid:900091; rev:1; )
Joigned pcap file (old lpd exploit) demonstrate the pb.
I have removed offset keyword on my signature/rule and alert firing!:
If anyone have a idea please?
Regards
Rmkml
Files
Actions