Project

General

Profile

Actions
Copy link

Bug #1593

closed

Negative within error - works in snort

Added by Darien Huss about 9 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using a negative within is sometimes useful, but does not seem to work in Suricata. It does work however in Snort.

signature:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"negative within"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; byte_extract:1,1,size,relative; content:"|2e|"; distance:size; within:-1; classtype:trojan-activity; sid:444444; rev:1;)

Error in suricata 2.0.9:
11/11/2015 -- 15:15:45 - <Error> - [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "-1" is less than the content length "1" which is invalid, since this will never match. Invalidating signature

Works fine in Snort. Attaching pcap.

Files

Download all files
gootkit_80.pcap (3.83 KB) gootkit_80.pcap Darien Huss, 11/11/2015 02:17 PM
gootkit_443.pcap (4.11 KB) gootkit_443.pcap Darien Huss, 11/11/2015 02:17 PM
Actions
Copy link

Also available in: Atom PDF