Bug #411: FP with byte_jump and content within on suricata v121 - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #411

closed

FP with byte_jump and content within on suricata v121

Added by rmkml rmkml over 12 years ago. Updated about 12 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Anoop Saldanha

Target version:

1.3beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,
Im submit this FP, joigned snmp pcap file and this very simply signature:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|01|"; within:1; distance:3; classtype:attempted-recon; sid:9110892; rev:1;)
Suricata v1.2.1 fire (it's wrong), but why ??
udp payload (on extracted pcap file):
30 4D 02 01 00 04 06 p u b l i c A0 40 02 03 0A 01 9F
...
Of course, snort not fire. Another sig for snort this time on same pcap:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|03|"; within:1; distance:3; classtype:attempted-recon; sid:9110893; rev:1;)
snort fire! (it's true)
Regards
Rmkml

Files

exemple_snmp_fp_suricata.pcap (161 Bytes) exemple_snmp_fp_suricata.pcap

rmkml rmkml, 01/31/2012 03:45 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #411

FP with byte_jump and content within on suricata v121

Updated by Victor Julien over 12 years ago

Updated by Anoop Saldanha over 12 years ago

Updated by Anoop Saldanha about 12 years ago

Updated by Victor Julien about 12 years ago