Project

General

Profile

Actions

Bug #558

closed

rule analyzer: print fast_pattern and it's buffer

Added by Victor Julien about 12 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

== Sid: 2000499 ==
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; classtype: string-detect; sid: 2000499; rev:6; )
    Rule matches on reassembled stream.
    Fast_pattern: "/COM1/" in reassembled stream
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    No warnings for this rule.

Additionally, if a signature matches on http, we should warn if the fast pattern is not in a http buffer.

Actions

Also available in: Atom PDF