Project

General

Custom queries

Profile

Actions
Copy link

Bug #139

closed

new FN suricata with alert udp+content hexa+depth+offset

Added by rmkml rmkml almost 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
High
Assignee:
Gurvinder Singh
Target version:
0.9.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
First, thx all for your work and open source support!
Im found a new FN with suricata v0.8.2 or today git.
ok look my simply signature/rule/filter:
alert udp any any -> any 53 (msg:"dns testing"; content:"|00 00|"; depth:5; offset:13; classtype:bad-unknown; sid:9436601; rev:1;)
Joigned a pcap not firing (warn: it's a udp packet modified on pcap for testing!).
If you remove "offset:13": suricata firing.
Regards
Rmkml

Files

Download all files
suricataudpdnsmodified2.pcap (118 Bytes) suricataudpdnsmodified2.pcap rmkml rmkml, 05/02/2010 02:18 PM
0001-fixed-the-depth-updation-when-content_len-is-small.patch (2.46 KB) 0001-fixed-the-depth-updation-when-content_len-is-small.patch Gurvinder Singh, 05/02/2010 11:23 PM
#1

Updated by Victor Julien almost 15 years ago

  • Due date set to 05/03/2010
  • Assignee set to OISF Dev
  • Priority changed from Normal to High
  • Target version set to 0.9.0
  • Estimated time set to 2.00 h
#2

Updated by Gurvinder Singh almost 15 years ago

#3

Updated by Victor Julien almost 15 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100
Actions
Copy link

Also available in: Atom PDF