Project

General

Profile

Actions
Copy link

Bug #340

closed
RR AS

FN on sig contains ip proto negate please

Bug #340: FN on sig contains ip proto negate please

Added by rmkml rmkml over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
High
Assignee:
Anoop Saldanha
Target version:
1.0.6
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Anyone fix this FN please?:
alert ip any any -> any any (msg:"test ip proto 1"; ip_proto:219; classtype:non-standard-protocol; sid:999991; rev:1;)
Joigned pcap file: ok suricata v105 fire.

ok next sig contains ip proto negate:
alert ip any any -> any any (msg:"test ip proto 2"; ip_proto:!1; classtype:non-standard-protocol; sid:999992; rev:1;)
on this: suricata v105 not fire (of course, snort fire).
Regards
Rmkml

Files

exemple_ipproto219_scan.pcap (74 Bytes) exemple_ipproto219_scan.pcap rmkml rmkml, 10/06/2011 04:56 AM
Actions
Copy link

Also available in: PDF Atom