Bug #411
closedFP with byte_jump and content within on suricata v121
Description
Hi,
Im submit this FP, joigned snmp pcap file and this very simply signature:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|01|"; within:1; distance:3; classtype:attempted-recon; sid:9110892; rev:1;)
Suricata v1.2.1 fire (it's wrong), but why ??
udp payload (on extracted pcap file):
30 4D 02 01 00 04 06 p u b l i c A0 40 02 03 0A 01 9F
...
Of course, snort not fire. Another sig for snort this time on same pcap:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|03|"; within:1; distance:3; classtype:attempted-recon; sid:9110893; rev:1;)
snort fire! (it's true)
Regards
Rmkml
Files
Updated by Victor Julien about 12 years ago
- Status changed from New to Assigned
- Assignee set to Anoop Saldanha
- Target version set to 1.3beta1
- Estimated time set to 4.00 h
Anoop can you take this on and add (a) unittest(s) while at it?
Updated by Anoop Saldanha about 12 years ago
- Status changed from Assigned to Resolved
Patches sent privately.
Updated by Victor Julien about 12 years ago
- Status changed from Resolved to Closed
- % Done changed from 0 to 100
Applied, thanks Anoop.