Bug #174
closedFP with suricata yesterday git
Description
Hi,
Maybe Im find a regression between suricata v0.9.1 and yesterday git (79443b1991840930ded4b8f09ba6de7b000912d9)
ok with this old sig, I have a FP with joigned my (anonymized) pcap file:
alert udp any any -> any 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; classtype:attempted-recon; sid:1948; rev:6;)
alert firing:
04/01/09-14:36:40.894688 [**] [1:1948:6] DNS zone transfer UDP [**] [Classification: ...] [Priority: 3] {1} 10.50.1.143:3 -> 142.27.128.1:3
Joigned pcap file contains 3 packets: first is dns A request, second is dns reply, third is icmp port (dns) unreach (FP hear).
and it's special, because, if you extract only 3ieme packet, no alert!
It's not a fuzzing, it's "normal" dns trafic.
Regards
Rmkml
Files
Updated by Will Metcalf over 14 years ago
- File enterprise.pcap-fuzz-2010-06-15-18-31-13-ERR.txt added
- Due date set to 06/20/2010
- Assignee set to OISF Dev
- Target version set to 0.9.3
- Estimated time set to 2.50 h
seems to still be an issue. Adding missing pcap from when redmine was broken.
Updated by Will Metcalf over 14 years ago
- File deleted (
enterprise.pcap-fuzz-2010-06-15-18-31-13-ERR.txt)
Updated by Will Metcalf over 14 years ago
the right file this time .....
Updated by Victor Julien over 14 years ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from 0.9.3 to 0.9.2
- % Done changed from 0 to 100
Issue is caused by storing/caching the SigGroupHead (sgh) in the flow structure. Because a icmp unreach packet is considered to be part of the udp flow, it was processed by the wrong (udp) sgh. Fix is in the next git master push.