Actions
Bug #2263
closedcontent matches disregarded when using dns_query on udp traffic
Affected Versions:
Effort:
Difficulty:
Label:
Description
Using Suricata-4.0.x, content matches before dns_query; sticky buffer are disregarded
- FP:
alert dns $HOME_NET any -> any any (msg:"test (fp)"; content:"|01|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|"; distance:1; within:1; content:"|06|"; distance:16; within:1; content:"|03|top|00|"; distance:6; within:5; dns_query; content:".top"; classtype:trojan-activity; sid:1; rev:1;)
- no FP:
alert dns $HOME_NET any -> any any (msg:"test (no fp)"; content:"|01|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|"; distance:1; within:1; content:"|06|"; distance:16; within:1; content:"|03|top|00|"; distance:6; within:5; classtype:trojan-activity; sid:2; rev:1;)
Previous versions unaffected
Files
Actions