Bug #4399: use keyword ‘offset’ that cause more alert - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4399

open

use keyword ‘offset’ that cause more alert

Added by albert wang about 3 years ago. Updated about 3 years ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

Affected Versions:

6.0.1

Effort:

Difficulty:

Label:

Description

The rules are as follows
alert tcp any any -> any [445,135,139] (msg:"test";flow:from_client,established;content:"|FF||53||4d||42||A0|";sid:10001;rev:1;)
that just Alerted 1 times,but change ruler to
alert tcp any any -> any [445,135,139] (msg:"test";flow:from_client,established;content:"|FF||53||4d||42||A0|";offset:4;depth:5;sid:10001;rev:1;)
that Alerted 7 times

Files

test.pcap (5.21 KB) test.pcap

albert wang, 03/16/2021 07:14 AM

Actions

Copy link

Updated by Jeff Lucovsky about 3 years ago

This is working as designed. If the depth option is used with TCP, we assume that the rule writer meant to inspect a record/pdu, and so we inspect individual packets but also the reassembled stream. If there is no depth we just inspect the stream

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #4399

use keyword ‘offset’ that cause more alert

Updated by Jeff Lucovsky about 3 years ago