Bug #770
closednegative depth and offset:0 fire ?
Description
Hi,
Im check Suricata and Im curious with this "special" sig:
alert tcp any any -> any any (msg:"test sid"; flow:to_server,established; content:"LIST"; depth:-4; offset:0; classtype:suspicious-login; sid:1; rev:1;)
and Suricata fire two times:
03/03/2013-11:55:26.337310 [**] [1:1:1] test sid [**] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 192.168.1.2:58129 -> a.b.c.d:21
03/03/2013-11:55:34.881652 [**] [1:1:1] test sid [**] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 192.168.1.2:58129 -> a.b.c.d:21
Ok my pcap start with "LIST" but negative depth is not possible ?
Regards
Rmkml
Updated by Anoop Saldanha about 11 years ago
- Assignee set to Anoop Saldanha
- Target version set to 1.4.2
Updated by Anoop Saldanha about 11 years ago
Will be fixed post https://github.com/inliniac/suricata/pull/308
Updated by Victor Julien about 11 years ago
Actually for the 1.4 branch we won't be merging that PR, that for 2.0. So we'll need a fix for 1.4 as well. AFAICS the issue is that we don't reject the negative option in the parser, right?
Updated by Anoop Saldanha about 11 years ago
Victor Julien wrote:
Actually for the 1.4 branch we won't be merging that PR, that for 2.0. So we'll need a fix for 1.4 as well. AFAICS the issue is that we don't reject the negative option in the parser, right?
Ah! Right. Forgot that. Will create a separate one for 1.5
Yeah, we don't see negative.
Updated by Anoop Saldanha about 11 years ago
Updated by Victor Julien about 11 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Merged, thanks!