Project

General

Profile

Actions

Bug #411

closed

FP with byte_jump and content within on suricata v121

Added by rmkml rmkml almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Im submit this FP, joigned snmp pcap file and this very simply signature:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|01|"; within:1; distance:3; classtype:attempted-recon; sid:9110892; rev:1;)
Suricata v1.2.1 fire (it's wrong), but why ??
udp payload (on extracted pcap file):
30 4D 02 01 00 04 06 p u b l i c A0 40 02 03 0A 01 9F
...
Of course, snort not fire. Another sig for snort this time on same pcap:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|03|"; within:1; distance:3; classtype:attempted-recon; sid:9110893; rev:1;)
snort fire! (it's true)
Regards
Rmkml


Files

exemple_snmp_fp_suricata.pcap (161 Bytes) exemple_snmp_fp_suricata.pcap rmkml rmkml, 01/31/2012 03:45 PM
Actions

Also available in: Atom PDF