Project

General

Profile

Actions

Bug #2056

closed

missing warning on a rule using within with one content keyword

Added by Peter Manev over 5 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET TROJAN Zeus P2P CnC"; content:"|AAAAAAAAAAAAAA|"; within:63; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:112233; rev:13;)

The rule above does not err/warn while loading in Suri but it should since within needs "two contents".
Tested with - 4.0dev (rev 6585ac4)

Actions #1

Updated by Victor Julien over 5 years ago

At least in some cases this is intentional, like with file_data. It's interpreted as 'depth'. IIRC this was to ensure compatibility with rules for Snort.

Actions #2

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #3

Updated by Andreas Herz about 3 years ago

would be a warning still a valid solution?

Actions #4

Updated by Victor Julien about 3 years ago

I'm inclined to leave as-is.

Actions #5

Updated by Andreas Herz about 3 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF