Project

General

Profile

Actions

Bug #10

closed

flags:0; alerts when it shoudn't

Added by Will Metcalf about 15 years ago. Updated about 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Breno Silva
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

when checking for no tcp flags being set via flags:0; via flags:0; the engine alerts even when flags are set. I have attached a patch that has a failing unittest displaying this issue.

#rules file
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"No flags set"; flags:0; sid:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SYN flag set"; flags:S,12; sid:2;)

#tcpdump output of pcap
07:46:00.378379 IP 192.168.77.1.46820 > 192.168.77.191.8888: Flags [S], seq 2098534692, win 2048, options [mss 1460], length 0

#output of log file
11/16/09-13:46:00.378379 [**] [1:1:0] No flags set [**] [Classification: fixme] [Priority: 3] {6} 192.168.77.1:46820 -> 192.168.77.191:8888
11/16/09-13:46:00.378379 [**] [1:2:0] SYN flag set [**] [Classification: fixme] [Priority: 3] {6} 192.168.77.1:46820 -> 192.168.77.191:8888


Files

0001-unit-test-showing-flags-0-alerting-when-it-shouldn-t.patch (1.9 KB) 0001-unit-test-showing-flags-0-alerting-when-it-shouldn-t.patch failing unittest flags:0; firing when it shouldn't Will Metcalf, 11/19/2009 02:56 PM
0001-Flags-Issue.patch (3.28 KB) 0001-Flags-Issue.patch Patch to fix flags:0 rule option Breno Silva, 11/20/2009 02:32 PM
Actions

Also available in: Atom PDF