Project

General

Profile

Actions

Bug #285

closed

FN on suricata 103/11beta2 - ftp format string

Added by rmkml rmkml over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
First, Great Congratulations for new Suricata 1.0.3/1.1beta2 release!
Second, I have a small pb with joigned pcap file.
ok first (poor/very simplified) sig working:
alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
content:"%"; depth:4; offset:0; classtype:misc-activity; sid:945011; rev:1;)
ok second (poor/very simplified) sig NOT working (but work with snort):
alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
content:"%"; depth:4; offset:0; content:"%"; within:2; distance:1; classtype:misc-activity; sid:945012; rev:1;)
stream:
checksum_validation: no # or yes have same pb for me
Thx you again for your time for checking my test.
If you confirm, Im open a new ticket on suricata redmine.
Regards
Rmkml


Files

Actions

Also available in: Atom PDF