Suricata

Hi,

Congratulations for new Suricata v1.4.6 version !

ok I'm found a FP with joigned pcap and this old sig please:

bad-traffic.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)

suricata fast.log output:
10/03/2013-12:33:42.042308 [**] [1:1321:8] BAD-TRAFFIC 0 ttl [**] [Classification: Misc activity] [Priority: 3] {HOPOPT} 0000:0000:0463:6f64:6504:6d73:646e:096d:0 -> 6963:726f:736f:6674:0363:6f6d:0000:0100:0

but joigned pcap are dns/udp, tcpdump output: (it's a good dns request, not fuzzing)
12:33:42.042308 IP (tos 0x0, ttl 64, id 34529, offset 0, flags [DF], proto UDP (17), length 69)
192.168.69.156.49379 > 192.38.129.234.53: [udp sum ok] 28390+ A? code.msdn.microsoft.com. (41)
E..E....kq..E..&.....5.1..n............code.msdn microsoft.com.....

Please check.

fp with suricata v1.4.5
fp with suricata v1.4.6
fp with suricata v2.0beta1

Regards
@rmkml rmkml
http://etplc.org