Feature #2860
openSuricata doesn't detect part of IKEv2 traffic
Description
Suricata doesn't detect part of IKEv2 traffic.
Some devices (Mikrotik for example) allows to start IKEv2 traffic on port 4500 (not affected by NAT Traversal enabled). In the case of UDP 4500 for IKEv2 selected, this IKEv2 traffic is not detected by Suricata. The traffic is detected as normal UDP traffic, but not recognized as IKEv2.
Mikrotik RB951G-2HNd (mipsbe), RouterOS 6.44
# suricata --build-info
This is Suricata version 4.1.0-dev (rev 8709a20d)
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS MAGIC RUST
SIMD support: none
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 6.3.0 20170516, C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.28, linked against LibHTP v0.5.28
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: yes
hiredis support: yes
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
libgeoip: yes
Non-bundled htp: yes
Old barnyard2 support: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: yes
Rust support: yes (default)
Rust strict mode: no
Rust debug mode: no
Rust compiler: rustc 1.30.0 (da5f414c2 2018-10-24)
Rust cargo: cargo 1.30.0 (36d96825d 2018-10-24)
Install suricatasc: yes
Install suricata-update: no
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: yes
CFLAGS -g -O2 -fdebug-prefix-map=/STAMUS/SELKS/Suricata/suricata-2019013001=. -fstack-protector-strong -Wformat -Werror=format-security -I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS -I/usr/include
SECCFLAGS
Files
Updated by Victor Julien over 5 years ago
- Description updated (diff)
Can you share a pcap of this traffic to reproduce?
Updated by Michal Vymazal over 5 years ago
Here is the pcap file with IKEv2 traffic on UDP 4500.
This traffic is not detected by the IKEv2 dashboard and also not detected with this rule:
alert ikev2 any any -> any any (msg:"IKEv2 IKE_SA_INIT Responder 21 20 22 20";content:"|21 20 22 20|"; classtype:protocol-command-decode; sid:500072; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
alert ikev2 any any -> any any (msg:"IKEv2 IKE_SA_INIT Initiator 28 20 22 08 Next Payload: Nonce";content:"|28 20 22 08|"; classtype:protocol-command-decode; sid:500073; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)
When I turn the IKEv2 traffic back to the UDP 500 port, the IKEv2 traffic will be detected with IKEv2 dashboard and also will be detected with this two suricata rules.
Updated by Victor Julien over 5 years ago
- Assignee set to Pierre Chifflier
Hi Pierre, could you check this out?
Updated by Victor Julien over 5 years ago
- Tracker changed from Bug to Feature
- Status changed from New to Assigned
- Target version set to 5.0beta1
Updated by Victor Julien over 5 years ago
- Target version changed from 5.0beta1 to TBD
Updated by Philippe Antoine 12 months ago
Confirmed with suricata 7 : suricata does not skip the 4 bytes (value 0) identified as UDP Encapsulation of IPsec Packets per Wireshark