Suricata

Even though I believe that the rule author mis-understands the use of depth/offset This rule should still fire. In snort this rule fires, in suricata it doesn't. The very bizarre thing about this issue is that if you modify depth in the following part of the rule to be any other value greater than 7 except for 32 - 35 the sig fires. Why do we miss these bytes? Even if I set relative depth to something like 5000 the sig fires.

content: "|00 00 00 03|"; offset: 28; depth: 32;

alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; classtype:attempted-recon; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2002068; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Veritas_BUExec; sid:2002068; rev:8;)

0000 80 00 00 24 00 00 00 01 4c 36 76 f7 00 00 00 00
0010 00 00 05 02 00 00 00 00 00 00 00 00 00 00 00 00
0020 00 00 00 03 00 00 00 00

src/suricata -s 2002068.rules -l ./ -c suricata.yaml -r ../metasploit-tests/backupexec_90_remote_agent_overflow.pcap