Bug #1516
closed
ShellCode Rule does not get fired in Suricata but it does in Snort
Added by Guru Medidation almost 9 years ago.
Updated over 8 years ago.
Description
Rule: 2101390
Which looks for Shellcode signature "CCCCCCC"
Does not get fired with Suricata but it does with Snort. Even if I think it is a false positive I would have expected the rule to be fired with Suricata.
This is Suricata version 2.1dev (rev 834c366)
Attached is the PCAP that triggers the alert with Snort.
I also suspect teh following rule have the same problem: 2102314 and 2012252 . Also related to ShellCode
I have checked and those rules are not suppressed in my threshold.config or disabled.
Thanks,
Bugs.
Files
Ok, I clicked on CHOOSE FILES, selected my pcap. I can see it here and it has a tag of "internal sever".
I write this note... click submit.
Can you see it now?
Another attempt at uploading the pcap, this time using a different browser.
If this does not work... is the upload option broken?
off note - testing the upload file - it was reported to be some sort of a problem with that by the user.
off note - testing the upload file - please excuse me for the multiple updates.
off note - testing the upload file - please excuse me for the multiple updates.
Thanks to ebf0 on IRC, this is not an issue and can be closed.
Shellcode are not detected on port 80, that's the reason why it doesn't fire on Suricata, it is by designed and not an issue.
My bad!
This issue can be closed.
PS:
- grep SHELLCODE_PORTS /etc/suricata/suricata.yaml SHELLCODE_PORTS: "!80"
- Status changed from New to Closed
Also available in: Atom
PDF