Project

General

Profile

Actions

Bug #1593

closed

Negative within error - works in snort

Added by Darien Huss about 9 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using a negative within is sometimes useful, but does not seem to work in Suricata. It does work however in Snort.

signature:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"negative within"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; byte_extract:1,1,size,relative; content:"|2e|"; distance:size; within:-1; classtype:trojan-activity; sid:444444; rev:1;)

Error in suricata 2.0.9:
11/11/2015 -- 15:15:45 - <Error> - [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-1" is less than the content length "1" which is invalid, since this will never match. Invalidating signature

Works fine in Snort. Attaching pcap.


Files

gootkit_80.pcap (3.83 KB) gootkit_80.pcap Darien Huss, 11/11/2015 02:17 PM
gootkit_443.pcap (4.11 KB) gootkit_443.pcap Darien Huss, 11/11/2015 02:17 PM
Actions #1

Updated by Andreas Herz almost 9 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien almost 6 years ago

Does it really work or is the rule just silently accepted? Negative distance makes sense to me, negative within not so much.

Actions #3

Updated by Andreas Herz almost 6 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

(also the user didn't login for years now)

Actions

Also available in: Atom PDF