Suricata

rmkml rmkml wrote:

Hi,
Suricata not fire with this signature and joigned pcap file:
alert tcp any 110 -> any any (msg:"pop3 suricata reply"; flow:to_client,established; content:"-ERR"; nocase; depth:4; offset:0; classtype:misc-attack; sid:9116511; rev:1;)

but fire with this signature: (only changed depth)
alert tcp any 110 -> any any (msg:"pop3 suricata reply"; flow:to_client,established; content:"-ERR"; nocase; depth:53; offset:0; classtype:misc-attack; sid:9116511; rev:1;)

Im curious why first signature not fire ?
Of course, snort fire with two signatures.
Regards
Rmkml

This is not a bug per-se, but rather the way suricata works currently.

Suricata divides the payload inspection tasks into 2 parts and it's the same with sigs - sigs are divided as stream sigs, and sigs that require packet inspection(example dsize, id, flags, ack, etc.).

Now this sig you have here is a stream sig. Which means we will carry out inspection on the reassembled stream. Suricata has a default chunk size of 2560 which you can set from the yaml. Chunk size is the size of reassembled segments we would inspect. With the reassembled stream, offset and depth probably doesn't make much sense, which is why we don't see the first sig firing, since within this particular stream, "-ERR" doesn't lie in the first 4 bytes of the stream, but rather within the first 4 bytes of payload.

To test this, you can set the "toclient_chunk_size" to a small value, say 5 and see that the sig fires.