Project

General

Profile

Actions
Copy link

Bug #3780

closed
FT VJ

Negated content with distance FP

Bug #3780: Negated content with distance FP

Added by Francis Trudeau almost 6 years ago. Updated over 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Victor Julien
Target version:
7.0.0-rc1
Affected Versions:
4.1.8, 5.0.3, 6.0.0rc1
Effort:
Difficulty:
Label:

Description

The following signature:

alert udp any any -> any any (msg:"Negated content with distance test"; content:"|C0 0C 00 10 00 01|"; content:!"v=spf"; distance:0; sid:30303; rev:1;)

This rule alerts on the attached pcap. The attached pcap has 'v=spf' in the packet after the hex content in the signature.

Tested with 6.0.0-dev (e5fd47dcf 2020-05-01), 5.0.3, 4.1.8, 4.0.7.

Files

Download all files
negated_content_distance.pcap (708 Bytes) negated_content_distance.pcap Francis Trudeau, 06/24/2020 05:12 PM
clipboard-202211162139-zscym.png (315 KB) clipboard-202211162139-zscym.png Victor Julien, 11/16/2022 08:39 PM

Subtasks 2 (0 open2 closed)

Task #5482: create SV tests to demonstrate false positive behavior for negated content and distance (bug 3780)ClosedShivani BhardwajActions
Bug #5605: Negated content with distance FP (6.0.x backport)RejectedActions
Actions
Copy link

Also available in: PDF Atom