Project

General

Profile

Actions
Copy link

Bug #153

closed

flag checking in Suricata is not strict enough.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Gurvinder Singh
Target version:
0.9.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

We are not strict enough when dealing with flags. This sig fires in
suricata, but fails to fire in snort because it appears as if snort
uses stricter checking for flags. So to get this to fire in snort I
need something like RA,12 or +R,12. As the ACK flag is set along with
the Reset flag.

alert tcp $EXTERNAL_NET 6112 -> $HOME_NET 1024: (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flags:R,12; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/GAMES/GAMES_Battlenet; sid:2002117; rev:5;)

19:36:55.033713 IP 192.168.100.13.43844 > 192.168.2.35.6112: Flags
[S], seq 261064610, win 5840, options [mss 1460,sackOK,TS val 4825806
ecr 0,nop,wscale 7], length 0
19:36:55.142385 IP 192.168.2.35.6112 > 192.168.100.13.43844: Flags
[R.], seq 0, ack 261064611, win 0, length 0

Files

Download all files
PSBattleNet.pcap (184 Bytes) PSBattleNet.pcap port 6112 traffic with Reset/Ack flag set Will Metcalf, 05/10/2010 11:33 AM
0001-fixed-the-flags-checking-and-make-it-more-strict-in.patch (4.56 KB) 0001-fixed-the-flags-checking-and-make-it-more-strict-in.patch Gurvinder Singh, 05/14/2010 01:59 AM
Actions
Copy link

Also available in: Atom PDF