Project

General

Profile

Bug #164

small pb (FN) on suricata with content and offset+depth

Added by rmkml rmkml about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
05/21/2010
Due date:
% Done:

0%


Description

Hi,
I have a small pb with this sig and joigned (dns/udp) pcap file without alert firing:
alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00 00 00|"; offset:3; depth:4; classtype:bad-unknown; sid:9199437; rev:1;)
simplified tcpdump hex output (on joigned pcap file):
0x0000: 4500 0028 0000 4000 3411 5152 c202 2809
0x0010: 0a32 0136 0035 e6e6 0014 1a16 6098 a888
0x0020: 0000 0000 0000 0000 0000 0000 0000
ok udp payload start at 0x1c, on my sig, offset:3 start at 0x1f, but depth:4 allow me 0x1f:88 + 0x20:00 + 0x21: 00 + 0x22:00.
Tested on suricata v0.9.0 and git on date 20 may 2010 (b629b7c5c1e2ad6c91b97b6708ad9ddc6a674502).
and of course, this sig work:
alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00 00 00|"; offset:4; depth:3; classtype:bad-unknown; sid:9199437; rev:1;)
Regards
Rmkml

suricatafndnsudpreplyzeroquestion.pcap (102 Bytes) rmkml rmkml, 05/21/2010 10:41 AM

Associated revisions

Revision dab67988 (diff)
Added by Victor Julien about 6 years ago

Properly update depth if offset+content_len < depth. Fixes #164.

History

#1 Updated by Victor Julien about 6 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • Target version set to 0.9.1

Fixed, thanks for the report Rmkml.

Also available in: Atom PDF