Bug #411

FP with byte_jump and content within on suricata v121

Added by rmkml rmkml about 2 years ago. Updated about 2 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Anoop Saldanha% Done:

100%

Category:-
Target version:1.3beta1

Description

Hi,
Im submit this FP, joigned snmp pcap file and this very simply signature:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|01|"; within:1; distance:3; classtype:attempted-recon; sid:9110892; rev:1;)
Suricata v1.2.1 fire (it's wrong), but why ??
udp payload (on extracted pcap file):
30 4D 02 01 00 04 06 p u b l i c A0 40 02 03 0A 01 9F
...
Of course, snort not fire. Another sig for snort this time on same pcap:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|03|"; within:1; distance:3; classtype:attempted-recon; sid:9110893; rev:1;)
snort fire! (it's true)
Regards
Rmkml

exemple_snmp_fp_suricata.pcap (161 Bytes) rmkml rmkml, 01/31/2012 03:45 PM

History

#1 Updated by Victor Julien about 2 years ago

  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Target version set to 1.3beta1
  • Estimated time set to 4.00

Anoop can you take this on and add (a) unittest(s) while at it?

#2 Updated by Anoop Saldanha about 2 years ago

Sure

#3 Updated by Anoop Saldanha about 2 years ago

  • Status changed from Assigned to Resolved

Patches sent privately.

#4 Updated by Victor Julien about 2 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 0 to 100

Applied, thanks Anoop.

Also available in: Atom PDF