Project

General

Profile

Actions
Copy link

Bug #164

closed

small pb (FN) on suricata with content and offset+depth

Added by rmkml rmkml almost 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
0.9.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
I have a small pb with this sig and joigned (dns/udp) pcap file without alert firing:
alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00 00 00|"; offset:3; depth:4; classtype:bad-unknown; sid:9199437; rev:1;)
simplified tcpdump hex output (on joigned pcap file):
0x0000: 4500 0028 0000 4000 3411 5152 c202 2809
0x0010: 0a32 0136 0035 e6e6 0014 1a16 6098 a888
0x0020: 0000 0000 0000 0000 0000 0000 0000
ok udp payload start at 0x1c, on my sig, offset:3 start at 0x1f, but depth:4 allow me 0x1f:88 + 0x20:00 + 0x21: 00 + 0x22:00.
Tested on suricata v0.9.0 and git on date 20 may 2010 (b629b7c5c1e2ad6c91b97b6708ad9ddc6a674502).
and of course, this sig work:
alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00 00 00|"; offset:4; depth:3; classtype:bad-unknown; sid:9199437; rev:1;)
Regards
Rmkml

Files

suricatafndnsudpreplyzeroquestion.pcap (102 Bytes) suricatafndnsudpreplyzeroquestion.pcap rmkml rmkml, 05/21/2010 10:41 AM
Actions
Copy link
 #1

Updated by Victor Julien almost 14 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • Target version set to 0.9.1

Fixed, thanks for the report Rmkml.

Actions
Copy link

Also available in: Atom PDF