Actions
Bug #877
closed
FT
VJ
Flowbit check with content doesn't match consistently
Bug #877:
Flowbit check with content doesn't match consistently
Affected Versions:
Effort:
Difficulty:
Label:
Description
In the following rules:
alert http any any -> any any (msg:"FLOWBIT TEST 0"; content:"POST"; nocase; flowbits:set,testflow; classtype:trojan-activity; sid:303; rev:1;)
alert tcp any any -> any any (msg:"FLOWBIT TEST 1"; content:"|64 70|"; sid:111; rev:1;)
alert tcp any any -> any any (msg:"FLOWBIT TEST 2"; flowbits:isset,testflow; content:"|64|"; sid:222; rev:1;)
alert tcp any any -> any any (msg:"FLOWBIT TEST 3"; flowbits:isset,testflow; content:"|64 70|"; sid:333; rev:1;)
sid 333 does not fire.
Tested with Suricata 1.4.1, 1.4.2, 1.4.3.
Actions