Project

General

Profile

Actions
Copy link

Bug #4571

open

Unable to trigger rule by content in case of IPv4 in IPv4 incapsulation

Added by Kirill Krotov about 3 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Affected Versions:
6.0.3, git master
Effort:
Difficulty:
Label:

Description

Suricata do able detect packets by conent in case of incapsulation. Detection by content works in following cases:

  • IPv4
  • IPv6
  • IPv4 over IPv6
  • IPv6 over IPv4
  • IPv6 over IPv6

But it doesn't work with tunnels IPv4 over IPv4 and it seems for me like a bug.

I have used following rule:

alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)

With set of pcap files.

Files

Download all files
ipv6.pcap (126 Bytes) ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv6_over_ipv6.pcap (166 Bytes) ipv6_over_ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv6_over_ipv4.pcap (146 Bytes) ipv6_over_ipv4.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4.pcap (106 Bytes) ipv4.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4_over_ipv6.pcap (146 Bytes) ipv4_over_ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4_over_ipv4.pcap (166 Bytes) ipv4_over_ipv4.pcap this doesn't work Kirill Krotov, 08/02/2021 02:17 PM
Actions
Copy link
 #1

Updated by Philippe Antoine over 1 year ago

  • Assignee set to OISF Dev
  • Target version set to 8.0.0-beta1
Actions
Copy link

Also available in: Atom PDF