Project

General

Profile

Actions

Bug #208

closed

regression v100 and git today cause FN

Added by rmkml rmkml over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Congratulations for first Suricata release.
with two rules and joigned pcap file, I have a FN (no alert):
alert tcp any any -> any 25 (msg:"suricata smtp"; flow:to_server,established; content:"EHLO "; nocase; depth:5; classtype:attempted-user; sid:9404481; rev:1;)
alert tcp any any <> any 0 (msg:"BAD TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
If you disable (second) sid 524, (first) sid 9404481 fire.
tested with v1.0.0 and git today (102092a89c8c48080853e9402325b4ee0e114697).
no FN (alert) on v0.9.2 or v0.9.1.
Please Check.
Regards
Rmkml


Files

suricatafnsmtpflowstateless.pcap (845 Bytes) suricatafnsmtpflowstateless.pcap rmkml rmkml, 07/13/2010 03:23 PM
Actions #1

Updated by Victor Julien over 14 years ago

  • Due date set to 07/20/2010
  • Assignee set to OISF Dev
  • Target version set to 1.0.1
  • Estimated time set to 2.50 h
Actions #2

Updated by Will Metcalf over 14 years ago

verified. Sig grouping issue? modifying the direction of sid 524 allows the sig 9404481 to fire.

alert tcp any any -> any 0 (msg:"BAD TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)

Actions #3

Updated by Will Metcalf over 14 years ago

  • Status changed from New to Closed

fixed in current master...

06/19/08-18:44:42.975945 [**] [1:9404481:1] suricata smtp [**] [Classification: Attempted User Privilege Gain] [Priority: 3] {6} 192.168.1.2:39481 -> 212.27.48.4:25

Actions

Also available in: Atom PDF