Bug #976: ip_rep supplying different no of alerts for 2 different but semantically similar rules - Suricata - Open Information Security Foundation

Actions

Bug #976

closed

ip_rep supplying different no of alerts for 2 different but semantically similar rules

Added by Anoop Saldanha over 10 years ago. Updated over 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

src,>,0
src,<,127

When tested on etpro's ip_rep data, gives different no of alerts, while they should be the same.

Actions

#1

Updated by Victor Julien over 10 years ago

Status changed from New to Assigned

Actions

#2

Updated by Victor Julien over 10 years ago

Found a bug, not sure if it is the issue, but definitely something.

Actions

#3

Updated by Anoop Saldanha over 10 years ago

Rule-Set 1:
alert ip any any -> any any (iprep:src,[category],>,0; sid:1;)

Rule-Set 2:
alert ip any any -> any any (iprep:src,[category],<,127; sid:1;)

Fill category with all the available categories. Should give you 31 rules for each of the above sets.

Let me know if you need the exact ruleset I tested with.

Actions

#4

Updated by Anoop Saldanha over 10 years ago

Looks like it has not solved the issue.

Sharing the rules privately.

Actions

#5

Updated by Anoop Saldanha over 10 years ago

Looks like the rules specified by me were < 127, but there were ips whose value was set at 127, which essentially meant we were not matching on these ips.

Also, < 127 would mean match the entire range, which we can specify using > 0(which is the alternate ruleset against which I was testing < 127 against).

Closing bug, since this is a non-issue.

Actions

#6

Updated by Anoop Saldanha over 10 years ago

Status changed from Assigned to Closed

Actions

Also available in: Atom PDF