Project

General

Profile

Actions
Copy link

Bug #2056

closed

missing warning on a rule using within with one content keyword

Added by Peter Manev over 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET TROJAN Zeus P2P CnC"; content:"|AAAAAAAAAAAAAA|"; within:63; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:112233; rev:13;)

The rule above does not err/warn while loading in Suri but it should since within needs "two contents".
Tested with - 4.0dev (rev 6585ac4)

Actions
Copy link
 #1

Updated by Victor Julien over 7 years ago

At least in some cases this is intentional, like with file_data. It's interpreted as 'depth'. IIRC this was to ensure compatibility with rules for Snort.

Actions
Copy link
 #2

Updated by Andreas Herz over 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions
Copy link
 #3

Updated by Andreas Herz over 5 years ago

would be a warning still a valid solution?

Actions
Copy link
 #4

Updated by Victor Julien over 5 years ago

I'm inclined to leave as-is.

Actions
Copy link
 #5

Updated by Andreas Herz over 5 years ago

  • Status changed from New to Closed
Actions
Copy link

Also available in: Atom PDF