Actions
Bug #3267
closedSupport for tcp.hdr Behavior
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hello
I am trying to use tcp.hdr and ipv4.hdr to detect specific packets.
From the TCP header, the source or destination port can be detected normally, but not for the rest.
TEST (I have attached the pcap file.) I checked the SYN packet and the GET packet after ESTABLISHED. There are a total of six packets with a destination port of 80. There is one SYN and one GET. SYN pkt / TCP Header = 0b 58 00 50 83 da a2 70 00 00 00 00 80 c2 20 00 15 5c 00 00 02 04 05 b4 01 03 03 08 01 01 04 02 GET pkt / TCP Header = 0b 58 00 50 83 da a2 71 3e 40 6e 31 50 18 08 05 16 ba 00 00 alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test1 SYN pkt 1"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; tcp.hdr; content:"|80 c2 20 00|"; sid:1; rev:1;) alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test2 SYN pkt 2"; tcp.hdr; content:"|00 00 00 00|"; offset:8; depth:4; sid:2; rev:1;) alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test3 GET pkt 1"; content:"GET"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; tcp.hdr; content:"|50 18|"; distance:8; within:2; sid:3; rev:1;) alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test4 GET pkt 2"; content:"GET"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; sid:4; rev:1;) pcap reading result (with "-k none") IPS mode (af-packet) test1: 3 packets alert test2: 3 packets alert test3: no alert test4: 1 packet alert
test1 and 2 were alerted in every packet even though they should be detected only once. test3 was not detected, but test4 with only the destination port Hex value in the header was detected.
Of course, matching tcp.mss or MSS Hex values works just fine as described in the manual.
Some fields that correspond to existing options in tcp.hdr don't work?
Please tell me the behavior associated with this option
Thank you.
Files
Actions