Bug #1161
closed
eve: src and dst mixed up in some cases
Added by Victor Julien over 10 years ago.
Updated over 10 years ago.
Description
It seems that in some cases the src and dst ip and ports and in the reverse order.
Here's my analysis and remarks with the different event_types and the patch from https://github.com/inliniac/suricata/pull/915
http - src/dst switched => Patch OK
http - length = is this the size from client to server or from server to client? What with the other one ? In HTTP POST (for example) it's important to know client-to-server.
fileinfo - toserver - probably not needed => probably out of scope, or otherwise content type must be decoded to be of any use
fileinfo - toclient - src/dst switched => Patch OK
dns - type:query - src/dst switched => Patch OK
dns - type:answer - src/dst correct => Patch ERROR
- Priority changed from Normal to High
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Also available in: Atom
PDF