Bug #153
closedflag checking in Suricata is not strict enough.
Description
We are not strict enough when dealing with flags. This sig fires in
suricata, but fails to fire in snort because it appears as if snort
uses stricter checking for flags. So to get this to fire in snort I
need something like RA,12 or +R,12. As the ACK flag is set along with
the Reset flag.
alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flags:R,12; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet; sid:2002117; rev:5;)
19:36:55.033713 IP 192.168.100.13.43844 > 192.168.2.35.6112: Flags
[S], seq 261064610, win 5840, options [mss 1460,sackOK,TS val 4825806
ecr 0,nop,wscale 7], length 0
19:36:55.142385 IP 192.168.2.35.6112 > 192.168.100.13.43844: Flags
[R.], seq 0, ack 261064611, win 0, length 0
Files
Updated by Gurvinder Singh over 14 years ago
- File 0001-fixed-the-flags-checking-and-make-it-more-strict-in.patch 0001-fixed-the-flags-checking-and-make-it-more-strict-in.patch added
- Status changed from New to Resolved
- Assignee changed from OISF Dev to Gurvinder Singh
- % Done changed from 0 to 90
The attached makes the flags checking more stricter and also corrects the ignored flags handling.
Updated by Victor Julien over 14 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Applied, thanks Gurvinder.