Bug #403
closed
request negate ip_proto cause FP on suricata v121
Added by rmkml rmkml almost 13 years ago.
Updated over 12 years ago.
Description
Hi,
Im test new suricata v1.2.1 and I have a FP please.
ok look very simply signature:
alert ip any any -> any any (msg:"test suricata negate ip_proto"; ip_proto:!103; classtype:non-standard-protocol; sid:9215831; rev:1;)
with joigned pcap file, suricata fire: (no error on suricata output)
11/18/2011-10:07:10.366672 Â [**] [1:9215831:1] test suricata negate ip_proto [**] [Classification: Detection of a non-standard protocol or event] [Priority: 2] {PIM} 172.28.127.254:0 [172.28.127.254:0] -> 224.0.0.13:0 [224.0.0.13:0]
Of course, snort not fire.
Regards
Rmkml
Files
- Status changed from Closed to Assigned
- Estimated time set to 4.00 h
Thanks Anoop.
So far we've not set the p->proto field if the decoding of a protocol (such as TCP) failed. These patches will set it always. I wonder if there could be side effects. Can you review that?
I don't like the assignment in the switch statement for code readability reasons btw, can you move it out of that? The compiler will likely optimise it for us.
Btw, please add a unittest with Rmkml's exact reported case + some more if you can think of them. Need to not let this bug pop up again ever :)
- Status changed from Assigned to Resolved
Patches sent privately to Victor
- Status changed from Resolved to Closed
- Target version set to 1.3beta1
- % Done changed from 0 to 100
Also available in: Atom
PDF