Suricata custom.rules payloads doesn't block or alert
-
Pfsense : 2.3.2
Suricata : 3.0_7Hi,
I make my own rules for testing payloads with content keywords in custom.rules, but they doesn't work ???
Content keyword : https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywordsMy rules :
Payload content keyword : "........netcore" or "|2E 2E 2E 2E 2E 2E 2E 2E|netcore" alert udp any any <> any 53413 (msg:"test netcore exploit"; content:"........netcore"; depth:15; classtype:attempted-admin; sid:9900001; rev:1;) alert udp any any <> any 53413 (msg:"test netcore exploit"; content:"|2E 2E 2E 2E 2E 2E 2E 2E|netcore"; depth:15; classtype:attempted-admin; sid:9900002; rev:1;)
Result with both rules : No alert, no block.
Working fine only with threshold options :
alert udp any any <> any 53413 (msg:"test netcore exploit"; threshold: type threshold, track by_src, count 1, seconds 60; classtype:attempted-admin; sid:9900003; rev:1;)
Result : Alert and block
Anyone ?
Thank you ;)
-
Just use…
alert udp any any -> any 53413 (msg:"test netcore exploit"; content:"netcore"; depth:16; classtype:attempted-admin; sid:9900002; rev:1;)
F.
-
Wrong depth keyboard in my rules.
Thank's fsansfil,
your rule works like a charm ;)