Project

General

Profile

Actions

Bug #4399

closed

use keyword ‘offset’ that cause more alert

Added by albert wang over 3 years ago. Updated 5 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

The rules are as follows
alert tcp any any -> any [445,135,139] (msg:"test";flow:from_client,established;content:"|FF||53||4d||42||A0|";sid:10001;rev:1;)
that just Alerted 1 times,but change ruler to
alert tcp any any -> any [445,135,139] (msg:"test";flow:from_client,established;content:"|FF||53||4d||42||A0|";offset:4;depth:5;sid:10001;rev:1;)
that Alerted 7 times


Files

test.pcap (5.21 KB) test.pcap albert wang, 03/16/2021 07:14 AM
Actions

Also available in: Atom PDF