Bug #5756: datasets: ipv4.src/dst, ip.src/dst check rules match on pseudo packets - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #5756

open

datasets: ipv4.src/dst, ip.src/dst check rules match on pseudo packets

Added by Victor Julien almost 2 years ago. Updated almost 2 years ago.

Status:

Assigned

Priority:

Normal

Assignee:

Eric Leblond

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

Rules like these (from datasets-09-load):

alert http any any -> any any (ip.dst; dataset:isset,ipv4-list,type ipv4,load datasets-ipv4.csv; flow:established,to_server; sid:1;)
alert http any any -> any any (ip.src; dataset:isset,ipv4-list,type ipv4,load datasets-ipv4.csv; flow:established,to_server; sid:2;)
alert http any any -> any any (ip.dst; dataset:isset,ip-list,type ip,load datasets-ip.csv; flow:established,to_server; sid:3;)

Will trigger as well on flow timeout packets.

History
Notes

Actions

Copy link

Updated by Andreas Herz almost 2 years ago

@Victor Julien do you have an example for that so I can try to reproduce and debug it?

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #5756

datasets: ipv4.src/dst, ip.src/dst check rules match on pseudo packets

Updated by Andreas Herz almost 2 years ago