Project

General

Profile

Actions

Bug #179

closed

no alert with decode-event:ipv4.* suricata today git

Added by rmkml rmkml over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
On suricata today git (d6709b0961ee972c0402edf0f080ebed590d9581), I don't have alert with joigned pcap file.
I have added theses sig but no alert:
alert ip any any -> any any (msg:"1"; decode-event:ipv4.pkt_too_small; sid:1; rev:1;)
alert ip any any -> any any (msg:"2"; decode-event:ipv4.hlen_too_small; sid:2; rev:1;)
alert ip any any -> any any (msg:"3"; decode-event:ipv4.iplen_smaller_than_hlen; sid:3; rev:1;)
alert ip any any -> any any (msg:"4"; decode-event:ipv4.trunc_pkt; sid:4; rev:1;)
alert ip any any -> any any (msg:"5"; decode-event:ipv4.opt_invalid; sid:5; rev:1;)
alert ip any any -> any any (msg:"6"; decode-event:ipv4.opt_invalid_len; sid:6; rev:1;)
alert ip any any -> any any (msg:"7"; decode-event:ipv4.opt_malformed; sid:7; rev:1;)
alert ip any any -> any any (msg:"8"; decode-event:ipv4.opt_pad_required; sid:8; rev:1;)
alert ip any any -> any any (msg:"9"; decode-event:ipv4.opt_eol_required; sid:9; rev:1;)
alert ip any any -> any any (msg:"10"; decode-event:ipv4.opt_duplicate; sid:10; rev:1;)
alert ip any any -> any any (msg:"11"; decode-event:ipv4.opt_unknown; sid:11; rev:1;)
alert ip any any -> any any (msg:"12"; decode-event:ipv4.wrong_ip_version; sid:12; rev:1;)
...
Regards
Rmkml


Files

suricatawrongiplen.pcap (100 Bytes) suricatawrongiplen.pcap rmkml rmkml, 06/16/2010 03:18 PM
Actions #1

Updated by Victor Julien over 14 years ago

  • Due date set to 06/22/2010
  • Assignee set to Victor Julien
  • Target version set to 0.9.3
  • Estimated time set to 0.00 h

It seems that, because the ipv4 packet is invalid, the detection code can't lookup the proper sgh by protocol.

Actions #2

Updated by Victor Julien over 14 years ago

  • Target version changed from 0.9.3 to 1.0.0
Actions #3

Updated by Victor Julien over 14 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Fixed in current master.

Actions

Also available in: Atom PDF