Bug #1593
closedNegative within error - works in snort
Description
Using a negative within is sometimes useful, but does not seem to work in Suricata. It does work however in Snort.
signature:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"negative within"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; byte_extract:1,1,size,relative; content:"|2e|"; distance:size; within:-1; classtype:trojan-activity; sid:444444; rev:1;)
Error in suricata 2.0.9:
11/11/2015 -- 15:15:45 - <Error> - [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-1" is less than the content length "1" which is invalid, since this will never match. Invalidating signature
Works fine in Snort. Attaching pcap.
Files
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien over 5 years ago
Does it really work or is the rule just silently accepted? Negative distance makes sense to me, negative within not so much.
Updated by Andreas Herz about 5 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs
(also the user didn't login for years now)