Project

General

Profile

Actions

Bug #770

closed

negative depth and offset:0 fire ?

Added by rmkml rmkml almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Im check Suricata and Im curious with this "special" sig:
alert tcp any any -> any any (msg:"test sid"; flow:to_server,established; content:"LIST"; depth:-4; offset:0; classtype:suspicious-login; sid:1; rev:1;)

and Suricata fire two times:
03/03/2013-11:55:26.337310 [**] [1:1:1] test sid [**] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 192.168.1.2:58129 -> a.b.c.d:21
03/03/2013-11:55:34.881652 [**] [1:1:1] test sid [**] [Classification: An attempted login using a suspicious username was detected] [Priority: 2] {TCP} 192.168.1.2:58129 -> a.b.c.d:21

Ok my pcap start with "LIST" but negative depth is not possible ?

Regards
Rmkml

Actions #1

Updated by Anoop Saldanha almost 12 years ago

  • Assignee set to Anoop Saldanha
  • Target version set to 1.4.2
Actions #3

Updated by Victor Julien almost 12 years ago

Actually for the 1.4 branch we won't be merging that PR, that for 2.0. So we'll need a fix for 1.4 as well. AFAICS the issue is that we don't reject the negative option in the parser, right?

Actions #4

Updated by Anoop Saldanha almost 12 years ago

Victor Julien wrote:

Actually for the 1.4 branch we won't be merging that PR, that for 2.0. So we'll need a fix for 1.4 as well. AFAICS the issue is that we don't reject the negative option in the parser, right?

Ah! Right. Forgot that. Will create a separate one for 1.5

Yeah, we don't see negative.

Actions #6

Updated by Victor Julien almost 12 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Merged, thanks!

Actions

Also available in: Atom PDF