Bug #139
closednew FN suricata with alert udp+content hexa+depth+offset
Description
Hi,
First, thx all for your work and open source support!
Im found a new FN with suricata v0.8.2 or today git.
ok look my simply signature/rule/filter:
alert udp any any -> any 53 (msg:"dns testing"; content:"|00 00|"; depth:5; offset:13; classtype:bad-unknown; sid:9436601; rev:1;)
Joigned a pcap not firing (warn: it's a udp packet modified on pcap for testing!).
If you remove "offset:13": suricata firing.
Regards
Rmkml
Files
Updated by Victor Julien over 14 years ago
- Due date set to 05/03/2010
- Assignee set to OISF Dev
- Priority changed from Normal to High
- Target version set to 0.9.0
- Estimated time set to 2.00 h
Updated by Gurvinder Singh over 14 years ago
- File 0001-fixed-the-depth-updation-when-content_len-is-small.patch 0001-fixed-the-depth-updation-when-content_len-is-small.patch added
- Status changed from New to Resolved
- Assignee changed from OISF Dev to Gurvinder Singh
- % Done changed from 0 to 90
The issue has been caused by incorrect calculation of depth value, when content length is smaller than original depth value and while updating it to reflect the offset.
Updated by Victor Julien over 14 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Patch applied, sig fires now: 01/09/07-12:50:04.220003 [**] [1:9436601:1] dns testing [**] [Classification: Potentially Bad Traffic] [Priority: 3] {17} 193.96.3.74:64213 -> 192.52.178.30:53
Thanks for the report Rmkml!