Suricata

Hello,

I'm continue Suricata testing and 1) found a fp with this (simplified) sig on joigned sctp pcap file:

alert ip any any -> any any (msg:"SCTP Suricata test 1"; ip_proto:132; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:1; rev:1; )

-> Suricata v2.0.6 fire or v2.1beta2 fire but NOT snort2.

02/18/2005-09:49:58.694007 [**] [1:1:1] SCTP Suricata test 1 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {SCTP} 192.168.170.56:7 -> 192.168.170.8:7

tcpdump dump with joigned sctp pcap file:

09:49:58.694007 IP (tos 0x0, ttl 128, id 45300, offset 0, flags [none], proto SCTP (132), length560)
192.168.170.56.7 > 192.168.170.8.7: sctp
1) [DATA] (U)(B)(E) [TSN: 13852] [SID: 8] [SSEQ 0] [PPID 0x0] [Payload]
0x0000: 4500 0230 b0f4 0000 8084 b1c3 c0a8 aa38 E..0...........8
0x0010: c0a8 aa08 0007 0007 4323 2544 3ade fb02 ........C#%D:...
0x0020: 0007 0210 0000 361c 0008 0000 0000 0000 ......6.........
---------
...

2) or suricata fp (but not snort2) with this similar sig without ip_proto:132 :

alert ip any any -> any any (msg:"SCTP Suricata test 2"; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:2; rev:1; )

02/18/2005-09:49:58.694007 [**] [1:2:1] SCTP Suricata test 3 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {SCTP} 192.168.170.56:7 -> 192.168.170.8:7

3) for information, post a true sig sctp fire:

alert sctp any any -> any any (msg:"SCTP Suricata test 3"; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:3; rev:1; )

Please check.

Regards
@rmkml rmkml