Bug #285
closedFN on suricata 103/11beta2 - ftp format string
Description
Hi,
First, Great Congratulations for new Suricata 1.0.3/1.1beta2 release!
Second, I have a small pb with joigned pcap file.
ok first (poor/very simplified) sig working:
alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
content:"%"; depth:4; offset:0; classtype:misc-activity; sid:945011; rev:1;)
ok second (poor/very simplified) sig NOT working (but work with snort):
alert tcp any any -> any 21 (msg:"FTP format string in ftp cmd attempt"; flow:to_server,established;
content:"%"; depth:4; offset:0; content:"%"; within:2; distance:1; classtype:misc-activity; sid:945012; rev:1;)
stream:
checksum_validation: no # or yes have same pb for me
Thx you again for your time for checking my test.
If you confirm, Im open a new ticket on suricata redmine.
Regards
Rmkml
Files
Updated by Victor Julien over 13 years ago
- Status changed from New to Closed
- Assignee set to Victor Julien
- Target version set to 1.1beta3
- % Done changed from 0 to 100
There are several issues:
1. distance wasn't properly taken into account when checking within: now fixed.
2. toserver part of the stream wasn't inspected properly as with the default config the RST was rejected. This can be addressed by adding the dst ip to the "linux" group in host-os section in yaml.
3. the toserver part should have been inspected in spite of (2) at flow "shut down". This is currently in the works.