Bug #1516
closedShellCode Rule does not get fired in Suricata but it does in Snort
Description
Rule: 2101390
Which looks for Shellcode signature "CCCCCCC"
Does not get fired with Suricata but it does with Snort. Even if I think it is a false positive I would have expected the rule to be fired with Suricata.
This is Suricata version 2.1dev (rev 834c366)
Attached is the PCAP that triggers the alert with Snort.
I also suspect teh following rule have the same problem: 2102314 and 2012252 . Also related to ShellCode
I have checked and those rules are not suppressed in my threshold.config or disabled.
Thanks,
Bugs.
Files
Updated by Guru Medidation over 8 years ago
Ok, I clicked on CHOOSE FILES, selected my pcap. I can see it here and it has a tag of "internal sever".
I write this note... click submit.
Can you see it now?
Updated by Guru Medidation over 8 years ago
Another attempt at uploading the pcap, this time using a different browser.
If this does not work... is the upload option broken?
Updated by Peter Manev over 8 years ago
off note - testing the upload file - it was reported to be some sort of a problem with that by the user.
Updated by Peter Manev over 8 years ago
off note - testing the upload file - please excuse me for the multiple updates.
Updated by Peter Manev over 8 years ago
- File empty.test-file empty.test-file added
off note - testing the upload file - please excuse me for the multiple updates.
Updated by Guru Medidation over 8 years ago
- File ShellCode.pcap ShellCode.pcap added
Updated by Guru Medidation over 8 years ago
Thanks to ebf0 on IRC, this is not an issue and can be closed.
Shellcode are not detected on port 80, that's the reason why it doesn't fire on Suricata, it is by designed and not an issue.
My bad!
This issue can be closed.
PS:- grep SHELLCODE_PORTS /etc/suricata/suricata.yaml SHELLCODE_PORTS: "!80"