Actions
Bug #134
closedsuricata content+depth+offset pb (FalseNegative)
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi,
I have downloaded latest suricata git version (v0.8.2 release have same pb), look my simply signature/rule:
alert tcp any any -> any 515 (msg:"detect IFS"; flow:to_server,established; content:"${IFS}"; depth:50; offset:0; classtype:attempted-dos; sid:900091; rev:1; )
Joigned pcap file (old lpd exploit) demonstrate the pb.
I have removed offset keyword on my signature/rule and alert firing!:
If anyone have a idea please?
Regards
Rmkml
Files
Updated by Victor Julien over 14 years ago
- Due date set to 05/01/2010
- Assignee set to Pablo Rincon
- Priority changed from Normal to High
- Target version set to 0.9.0
- Estimated time set to 3.00 h
Updated by Gurvinder Singh over 14 years ago
- File 0001-fixed-the-incorrect-depth-update-incase-of-offset-is.patch 0001-fixed-the-incorrect-depth-update-incase-of-offset-is.patch added
- Status changed from New to Resolved
- Assignee changed from Pablo Rincon to Gurvinder Singh
The bug was caused by incorrect updation of depth length when offset is 0. Attached patch fix the bug. Again thanks Rmkml for pointing out :-)
Updated by Victor Julien over 14 years ago
- Status changed from Resolved to Closed
- % Done changed from 0 to 100
I've applied the patch. Did a small modification of it. It now only updates cd->depth if depth != 0 and smaller than content_len + offset.
Actions