Bug #139
closed
new FN suricata with alert udp+content hexa+depth+offset
Added by rmkml rmkml about 14 years ago.
Updated about 14 years ago.
Description
Hi,
First, thx all for your work and open source support!
Im found a new FN with suricata v0.8.2 or today git.
ok look my simply signature/rule/filter:
alert udp any any -> any 53 (msg:"dns testing"; content:"|00 00|"; depth:5; offset:13; classtype:bad-unknown; sid:9436601; rev:1;)
Joigned a pcap not firing (warn: it's a udp packet modified on pcap for testing!).
If you remove "offset:13": suricata firing.
Regards
Rmkml
Files
- Due date set to 05/03/2010
- Assignee set to OISF Dev
- Priority changed from Normal to High
- Target version set to 0.9.0
- Estimated time set to 2.00 h
The issue has been caused by incorrect calculation of depth value, when content length is smaller than original depth value and while updating it to reflect the offset.
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Patch applied, sig fires now: 01/09/07-12:50:04.220003 [**] [1:9436601:1] dns testing [**] [Classification: Potentially Bad Traffic] [Priority: 3] {17} 193.96.3.74:64213 -> 192.52.178.30:53
Thanks for the report Rmkml!
Also available in: Atom
PDF