Project

General

Profile

Actions
Copy link

Bug #2056

closed
PM OD

missing warning on a rule using within with one content keyword

Bug #2056: missing warning on a rule using within with one content keyword

Added by Peter Manev about 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET TROJAN Zeus P2P CnC"; content:"|AAAAAAAAAAAAAA|"; within:63; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:112233; rev:13;)

The rule above does not err/warn while loading in Suri but it should since within needs "two contents".
Tested with - 4.0dev (rev 6585ac4)

VJ Updated by Victor Julien about 9 years ago Actions
Copy link
 #1

At least in some cases this is intentional, like with file_data. It's interpreted as 'depth'. IIRC this was to ensure compatibility with rules for Snort.

AH Updated by Andreas Herz almost 9 years ago Actions
Copy link
 #2

  • Assignee set to OISF Dev
  • Target version set to TBD

AH Updated by Andreas Herz almost 7 years ago Actions
Copy link
 #3

would be a warning still a valid solution?

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #4

I'm inclined to leave as-is.

AH Updated by Andreas Herz over 6 years ago Actions
Copy link
 #5

  • Status changed from New to Closed
Actions
Copy link

Also available in: PDF Atom