Project

General

Profile

Actions
Copy link

Bug #148

closed

sid:2002908 should fire when processing the attached pcap but doesn't.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
High
Assignee:
Victor Julien
Target version:
0.9.0
Affected Versions:
Effort:
Difficulty:
Label:

Description

src/suricata -c suricata.yaml -r /home/coz/suricata35.pcap -l ./ -s blah.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT x86 JmpCallAdditive Encoder"; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2002908; rev:4;)

bytes in packet no 98:

fc bb 8e a1 22 4a eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff

Files

suricata35.pcap (864 KB) suricata35.pcap metsploit08-067 pcap Will Metcalf, 05/05/2010 09:56 PM
Actions
Copy link
 #1

Updated by Victor Julien over 14 years ago

  • Assignee changed from OISF Dev to Victor Julien
Actions
Copy link
 #2

Updated by Victor Julien over 14 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Issue was caused by broken within calculation. Fixed.

Actions
Copy link

Also available in: Atom PDF