Project

General

Profile

Actions
Copy link

Bug #411

closed

FP with byte_jump and content within on suricata v121

Added by rmkml rmkml over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.3beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Im submit this FP, joigned snmp pcap file and this very simply signature:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|01|"; within:1; distance:3; classtype:attempted-recon; sid:9110892; rev:1;)
Suricata v1.2.1 fire (it's wrong), but why ??
udp payload (on extracted pcap file):
30 4D 02 01 00 04 06 p u b l i c A0 40 02 03 0A 01 9F
...
Of course, snort not fire. Another sig for snort this time on same pcap:
alert udp any any -> any 161 (msg:"test snmp suricata"; byte_jump:1,6; content:"|03|"; within:1; distance:3; classtype:attempted-recon; sid:9110893; rev:1;)
snort fire! (it's true)
Regards
Rmkml

Files

exemple_snmp_fp_suricata.pcap (161 Bytes) exemple_snmp_fp_suricata.pcap rmkml rmkml, 01/31/2012 03:45 PM
Actions
Copy link
 #1

Updated by Victor Julien over 12 years ago

  • Status changed from New to Assigned
  • Assignee set to Anoop Saldanha
  • Target version set to 1.3beta1
  • Estimated time set to 4.00 h

Anoop can you take this on and add (a) unittest(s) while at it?

Actions
Copy link
 #2

Updated by Anoop Saldanha over 12 years ago

Sure

Actions
Copy link
 #3

Updated by Anoop Saldanha over 12 years ago

  • Status changed from Assigned to Resolved

Patches sent privately.

Actions
Copy link
 #4

Updated by Victor Julien over 12 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 0 to 100

Applied, thanks Anoop.

Actions
Copy link

Also available in: Atom PDF