Negative within error - works in snort
Using a negative within is sometimes useful, but does not seem to work in Suricata. It does work however in Snort.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"negative within"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; byte_extract:1,1,size,relative; content:"|2e|"; distance:size; within:-1; classtype:trojan-activity; sid:444444; rev:1;)
Error in suricata 2.0.9:
11/11/2015 -- 15:15:45 - <Error> - [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-1" is less than the content length "1" which is invalid, since this will never match. Invalidating signature
Works fine in Snort. Attaching pcap.
Updated by Andreas Herz almost 4 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
(also the user didn't login for years now)