Project

General

Profile

Actions

Bug #1516

closed

ShellCode Rule does not get fired in Suricata but it does in Snort

Added by Guru Medidation over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Rule: 2101390
Which looks for Shellcode signature "CCCCCCC"
Does not get fired with Suricata but it does with Snort. Even if I think it is a false positive I would have expected the rule to be fired with Suricata.

This is Suricata version 2.1dev (rev 834c366)

Attached is the PCAP that triggers the alert with Snort.

I also suspect teh following rule have the same problem: 2102314 and 2012252 . Also related to ShellCode
I have checked and those rules are not suppressed in my threshold.config or disabled.

Thanks,
Bugs.


Files

empty.test-file (10 Bytes) empty.test-file Peter Manev, 07/27/2015 03:49 AM
ShellCode.pcap (1.5 KB) ShellCode.pcap Pcap with Shellcode alert - 1 packet, enough to trigger in snort but doesnt with Suricata. Guru Medidation, 07/27/2015 04:08 AM
Actions

Also available in: Atom PDF