Actions
Bug #3780
closedNegated content with distance FP
Description
The following signature:
alert udp any any -> any any (msg:"Negated content with distance test"; content:"|C0 0C 00 10 00 01|"; content:!"v=spf"; distance:0; sid:30303; rev:1;)
This rule alerts on the attached pcap. The attached pcap has 'v=spf' in the packet after the hex content in the signature.
Tested with 6.0.0-dev (e5fd47dcf 2020-05-01), 5.0.3, 4.1.8, 4.0.7.
Files
Updated by Victor Julien over 1 year ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Priority changed from Normal to High
- Target version set to 7.0.0-beta1
- Label Needs backport to 6.0 added
Updated by Juliana Fajardini Reichow over 1 year ago
- Related to Task #5482: create SV tests to demonstrate false positive behavior for negated content and distance (bug 3780) added
Updated by Shivani Bhardwaj over 1 year ago
- Label deleted (
Needs backport to 6.0)
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien over 1 year ago
I believe that the behavior is correct. content:"|C0 0C 00 10 00 01|"; is found 4 times in the payload. Three of them before the v=spf string, 1 after. The one after then looks if it is followed by v=spf, which it isn't. So the content:!"v=spf"; distance:0; matches that 4th time, as expected.
Updated by Victor Julien over 1 year ago
- Status changed from Assigned to Rejected
Actions