Suricata custom.rules payloads doesn't block or alert



  • Pfsense : 2.3.2
    Suricata : 3.0_7

    Hi,
    I make my own rules for testing payloads with content keywords in custom.rules, but they doesn't work  ???
    Content keyword : https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Payload_keywords

    My rules :

    Payload content keyword : "........netcore" or "|2E 2E 2E 2E 2E 2E 2E 2E|netcore"
    
    alert udp any any <> any 53413 (msg:"test netcore exploit"; content:"........netcore"; depth:15; classtype:attempted-admin; sid:9900001; rev:1;)
    
    alert udp any any <> any 53413 (msg:"test netcore exploit"; content:"|2E 2E 2E 2E 2E 2E 2E 2E|netcore"; depth:15; classtype:attempted-admin; sid:9900002; rev:1;)
    
    

    Result with both rules : No alert, no block.

    Working fine only with threshold options :

    alert udp any any <> any 53413 (msg:"test netcore exploit"; threshold: type threshold, track by_src, count 1, seconds 60; classtype:attempted-admin; sid:9900003; rev:1;)
    
    

    Result : Alert and block

    Anyone ?

    Thank you  ;)



  • Just use…

    alert udp any any -> any 53413 (msg:"test netcore exploit"; content:"netcore"; depth:16; classtype:attempted-admin; sid:9900002; rev:1;)
    
    

    F.



  • Wrong depth keyboard in my rules.

    Thank's fsansfil,
    your rule works like a charm  ;)


Log in to reply