Actions
Bug #4399
closeduse keyword ‘offset’ that cause more alert
Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
The rules are as followsalert tcp any any -> any [445,135,139] (msg:"test";flow:from_client,established;content:"|FF||53||4d||42||A0|";sid:10001;rev:1;)
that just Alerted 1 times,but change ruler toalert tcp any any -> any [445,135,139] (msg:"test";flow:from_client,established;content:"|FF||53||4d||42||A0|";offset:4;depth:5;sid:10001;rev:1;)
that Alerted 7 times
Files
Updated by Jeff Lucovsky almost 4 years ago
This is working as designed. If the depth option is used with TCP, we assume that the rule writer meant to inspect a record/pdu, and so we inspect individual packets but also the reassembled stream. If there is no depth we just inspect the stream
Updated by Philippe Antoine 7 months ago
- Status changed from New to Rejected
Working as designed
Frames can also help here write better rules than raw TCP stream inspection
Actions