Project

General

Profile

Bug #5064

Updated by Jason Ish almost 3 years ago

Seen with the PCAP from https://github.com/OISF/suricata-verify/pull/711. 

 A rule like: 
 <pre> 
 alert sip any any -> any any (flow:to_client; frame:pdu; content:"REGISTER sip"; sid:1;) 
 </pre> 

 will alert once as expected as the content @REGISTER sip@ is only seen once in the pcap in the @to_client@ direction. 

 However the rule: 
 <pre> 
 alert sip any any -> any any (frame:pdu; content:"REGISTER sip"; sid:1;) 
 </pre> 

 will create 2 identical alerts, but should probably only create one alert. 

 This does not appear to be limited to SIP, as I'm seeing it in my work-in-progress DNS frame support.

Back