Bug #2928: alerts on icmp signatures in 4.0.x and 4.1.x - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2928

open

alerts on icmp signatures in 4.0.x and 4.1.x

Added by Andrey Rybakov over 5 years ago. Updated about 5 years ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

4.1rc1

Effort:

Difficulty:

Label:

Description

Hello.
I`ve tested simple signature "alert icmp any any -> any any (msg:"MyAlert"; sid:1000000; rev:1;)"
on ping traffic (4 requests, 4 replies - in attached pcap)

In different versions i have different results:
4.0.0-beta1, 4.0.(1-7) = 8 alerts (four in each direction)
4.1.0-beta1 = 8 alerts
4.1.0-rc1, 4.1.(0-3) = 2 alerts (one in each direction)

So suricata start alert icmp as flow (only for one packet in each direction) between 4.1.0-beta1 and 4.1.0-rc1
probably this was caused by commit c662383b5
I think it is bug

Files

icmp_8_packets.pcap (744 Bytes) icmp_8_packets.pcap

Andrey Rybakov, 04/09/2019 03:36 PM

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2928

alerts on icmp signatures in 4.0.x and 4.1.x

Updated by Andreas Herz over 5 years ago

Updated by Victor Julien about 5 years ago