Suricata custom.rules payloads doesn't block or alert

p-root

Pfsense : 2.3.2
Suricata : 3.0_7

Hi,
I make my own rules for testing payloads with content keywords in custom.rules, but they doesn't work  ???
Content keyword : https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords

My rules :

Payload content keyword : "........netcore" or "|2E 2E 2E 2E 2E 2E 2E 2E|netcore"

alert udp any any <> any 53413 (msg:"test netcore exploit"; content:"........netcore"; depth:15; classtype:attempted-admin; sid:9900001; rev:1;)

alert udp any any <> any 53413 (msg:"test netcore exploit"; content:"|2E 2E 2E 2E 2E 2E 2E 2E|netcore"; depth:15; classtype:attempted-admin; sid:9900002; rev:1;)

Result with both rules : No alert, no block.

Working fine only with threshold options :

alert udp any any <> any 53413 (msg:"test netcore exploit"; threshold: type threshold, track by_src, count 1, seconds 60; classtype:attempted-admin; sid:9900003; rev:1;)

Result : Alert and block

Anyone ?

Thank you  ;)

fsansfil

Just use…

alert udp any any -> any 53413 (msg:"test netcore exploit"; content:"netcore"; depth:16; classtype:attempted-admin; sid:9900002; rev:1;)

F.

p-root

Wrong depth keyboard in my rules.

Thank's fsansfil,
your rule works like a charm  ;)