Bug #164

small pb (FN) on suricata with content and offset+depth

Added by rmkml rmkml almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:05/21/2010
Priority:NormalDue date:
Assignee:Victor Julien% Done:

0%

Category:-
Target version:0.9.1

Description

Hi,
I have a small pb with this sig and joigned (dns/udp) pcap file without alert firing:
alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00 00 00|"; offset:3; depth:4; classtype:bad-unknown; sid:9199437; rev:1;)
simplified tcpdump hex output (on joigned pcap file):
0x0000: 4500 0028 0000 4000 3411 5152 c202 2809
0x0010: 0a32 0136 0035 e6e6 0014 1a16 6098 a888
0x0020: 0000 0000 0000 0000 0000 0000 0000
ok udp payload start at 0x1c, on my sig, offset:3 start at 0x1f, but depth:4 allow me 0x1f:88 + 0x20:00 + 0x21: 00 + 0x22:00.
Tested on suricata v0.9.0 and git on date 20 may 2010 (b629b7c5c1e2ad6c91b97b6708ad9ddc6a674502).
and of course, this sig work:
alert udp any 53 -> any any (msg:"suricata test dns reply"; content:"|00 00 00|"; offset:4; depth:3; classtype:bad-unknown; sid:9199437; rev:1;)
Regards
Rmkml

suricatafndnsudpreplyzeroquestion.pcap (102 Bytes) rmkml rmkml, 05/21/2010 10:41 AM

Associated revisions

Revision dab67988
Added by Victor Julien almost 4 years ago

Properly update depth if offset+content_len < depth. Fixes #164.

History

#1 Updated by Victor Julien almost 4 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • Target version set to 0.9.1

Fixed, thanks for the report Rmkml.

Also available in: Atom PDF