Project

General

Profile

Actions
Copy link

Bug #139

closed
RR GS

new FN suricata with alert udp+content hexa+depth+offset

Bug #139: new FN suricata with alert udp+content hexa+depth+offset

Added by rmkml rmkml almost 16 years ago. Updated almost 16 years ago.

Status:
Closed
Priority:
High
Assignee:
Gurvinder Singh
Target version:
0.9.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
First, thx all for your work and open source support!
Im found a new FN with suricata v0.8.2 or today git.
ok look my simply signature/rule/filter:
alert udp any any -> any 53 (msg:"dns testing"; content:"|00 00|"; depth:5; offset:13; classtype:bad-unknown; sid:9436601; rev:1;)
Joigned a pcap not firing (warn: it's a udp packet modified on pcap for testing!).
If you remove "offset:13": suricata firing.
Regards
Rmkml

Files

Download all files
suricataudpdnsmodified2.pcap (118 Bytes) suricataudpdnsmodified2.pcap rmkml rmkml, 05/02/2010 02:18 PM
0001-fixed-the-depth-updation-when-content_len-is-small.patch (2.46 KB) 0001-fixed-the-depth-updation-when-content_len-is-small.patch Gurvinder Singh, 05/02/2010 11:23 PM
Actions
Copy link

Also available in: PDF Atom