Project

General

Profile

Actions

Bug #285

closed

FN on suricata 103/11beta2 - ftp format string

Added by rmkml rmkml over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
First, Great Congratulations for new Suricata 1.0.3/1.1beta2 release!
Second, I have a small pb with joigned pcap file.
ok first (poor/very simplified) sig working:
alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
content:"%"; depth:4; offset:0; classtype:misc-activity; sid:945011; rev:1;)
ok second (poor/very simplified) sig NOT working (but work with snort):
alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
content:"%"; depth:4; offset:0; content:"%"; within:2; distance:1; classtype:misc-activity; sid:945012; rev:1;)
stream:
checksum_validation: no # or yes have same pb for me
Thx you again for your time for checking my test.
If you confirm, Im open a new ticket on suricata redmine.
Regards
Rmkml


Files

Actions #1

Updated by Victor Julien over 10 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • Target version set to 1.1beta3
  • % Done changed from 0 to 100

There are several issues:

1. distance wasn't properly taken into account when checking within: now fixed.
2. toserver part of the stream wasn't inspected properly as with the default config the RST was rejected. This can be addressed by adding the dst ip to the "linux" group in host-os section in yaml.
3. the toserver part should have been inspected in spite of (2) at flow "shut down". This is currently in the works.

Actions

Also available in: Atom PDF