Bug #3780
closed
Negated content with distance FP
Added by Francis Trudeau over 4 years ago.
Updated about 2 years ago.
Description
The following signature:
alert udp any any -> any any (msg:"Negated content with distance test"; content:"|C0 0C 00 10 00 01|"; content:!"v=spf"; distance:0; sid:30303; rev:1;)
This rule alerts on the attached pcap. The attached pcap has 'v=spf' in the packet after the hex content in the signature.
Tested with 6.0.0-dev (e5fd47dcf 2020-05-01), 5.0.3, 4.1.8, 4.0.7.
Files
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Priority changed from Normal to High
- Target version set to 7.0.0-beta1
- Label Needs backport to 6.0 added
- Related to Task #5482: create SV tests to demonstrate false positive behavior for negated content and distance (bug 3780) added
- Label deleted (
Needs backport to 6.0)
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
I believe that the behavior is correct. content:"|C0 0C 00 10 00 01|";
is found 4 times in the payload. Three of them before the v=spf
string, 1 after. The one after then looks if it is followed by v=spf
, which it isn't. So the content:!"v=spf"; distance:0;
matches that 4th time, as expected.
- Status changed from Assigned to Rejected
Also available in: Atom
PDF