Project

General

Profile

Actions

Bug #3780

closed

Negated content with distance FP

Added by Francis Trudeau over 4 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The following signature:

alert udp any any -> any any (msg:"Negated content with distance test"; content:"|C0 0C 00 10 00 01|"; content:!"v=spf"; distance:0; sid:30303; rev:1;)

This rule alerts on the attached pcap. The attached pcap has 'v=spf' in the packet after the hex content in the signature.

Tested with 6.0.0-dev (e5fd47dcf 2020-05-01), 5.0.3, 4.1.8, 4.0.7.


Files

negated_content_distance.pcap (708 Bytes) negated_content_distance.pcap Francis Trudeau, 06/24/2020 05:12 PM
clipboard-202211162139-zscym.png (315 KB) clipboard-202211162139-zscym.png Victor Julien, 11/16/2022 08:39 PM

Subtasks 2 (0 open2 closed)

Task #5482: create SV tests to demonstrate false positive behavior for negated content and distance (bug 3780)ClosedShivani BhardwajActions
Bug #5605: Negated content with distance FP (6.0.x backport)RejectedActions
Actions

Also available in: Atom PDF