Project

General

Profile

Actions
Copy link

Bug #5064

open

frames: duplicate alerts when no flow direction provided

Added by Jason Ish over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Seen with the PCAP from https://github.com/OISF/suricata-verify/pull/711.

A rule like:

alert sip any any -> any any (flow:to_client; frame:pdu; content:"REGISTER sip"; sid:1;)

will alert once as expected as the content REGISTER sip is only seen once in the pcap in the to_client direction.

However the rule:

alert sip any any -> any any (frame:pdu; content:"REGISTER sip"; sid:1;)

will create 2 identical alerts, but should probably only create one alert.

This does not appear to be limited to SIP, as I'm seeing it in my work-in-progress DNS frame support.

Actions
Copy link

Also available in: Atom PDF