Bug #3266: fast-log: icmp type prints wrong value - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #3266

closed

fast-log: icmp type prints wrong value

Added by Victor Julien about 5 years ago. Updated almost 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

5.0.1

Affected Versions:

5.0.0

Effort:

Difficulty:

Label:

Needs backport

Description

Fast log prints Packet::sp and Packet::dp, but these are unions:

    union {
        Port sp;
        // icmp type and code of this packet
        struct {
            uint8_t type;
            uint8_t code;
        } icmp_s;
    };
    union {
        Port dp;
        // icmp type and code of the expected counterpart (for flows)
        struct {
            uint8_t type;
            uint8_t code;
        } icmp_d;
    };

So printing Packet::sp or dp for ICMP does not give the correct results.

E.g. from et-sigs:

10/18/2019-13:06:01.032939  [Drop] [**] [1:2200076:2] SURICATA ICMPv4 invalid
checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
{ICMP} 60.191.38.77:771 -> 192.168.69.246:0

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #3266

fast-log: icmp type prints wrong value

Updated by Victor Julien almost 5 years ago

Updated by Philippe Antoine almost 5 years ago

Updated by Victor Julien almost 5 years ago

Updated by Victor Julien almost 5 years ago