Bug #2103: Rules with dual rev do not error - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2103

closed

Rules with dual rev do not error

Added by Francis Trudeau over 7 years ago. Updated about 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Andreas Herz

Target version:

4.0.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

The following rules do not error in Suricata 3.2.1 or Suricata version 4.0dev (rev 3ff5dc3):

alert tcp any any -> any any (msg:"DUAL REV TEST"; content:"|31 36 30 39 31 33 32 30|"; sid:3031; rev:1; rev:1;)

alert tcp any any -> any any (msg:"DUAL REV TEST"; content:"|31 36 30 39 31 33 32 30|"; sid:3032; rev:1; rev:2;)

It appears to pick the latter one when presented with two:

09/12/2016-14:51:13.407898 [**] [1:3032:2] DUAL REV TEST [**] [Classification: (null)] [Priority: 3] {TCP} 172.16.71.200:42439 -> 172.16.71.162:88

Actions

Copy link

Updated by Andreas Herz over 7 years ago

Assignee set to Andreas Herz
Target version set to TBD

Actions

Copy link

Updated by Andreas Herz about 7 years ago

Status changed from New to Closed

fixed in https://github.com/inliniac/suricata/pull/2878

Actions

Copy link

Updated by Andreas Herz about 7 years ago

Target version changed from TBD to 4.0.1

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2103

Rules with dual rev do not error

Updated by Andreas Herz over 7 years ago

Updated by Andreas Herz about 7 years ago

Updated by Andreas Herz about 7 years ago