Bug #6864
closed
Detect: ipopts keyword misfires
Added by Jeff Lucovsky 8 months ago.
Updated 7 months ago.
Description
The ipopts keyword may be misfiring.
https://forum.suricata.io/t/suricata-cant-define-ip-options/4494/7 describes a situation where the OP requested an alert when strict source route occurs but found that the rule was creating an alert with a packet having the stream id IP option.
The rule used by the OP:
alert ip any any -> any any (ipopts: ssrr; msg: "issue"; rev: 1; sid:1;)
Files
The misfiring is occurring because
- When the ipopts keyword is parsed, an enum value is added to the detection context
- When looking for a match, the match logic treats the detection context value as a bit field
- False alerts occur because the check uses a bit field and an enum value. The bit field is from the packet
- Status changed from New to In Review
- Assignee changed from OISF Dev to Jeff Lucovsky
- Label Needs backport to 7.0 added
- Label deleted (
Needs backport to 7.0)
- Label Needs backport to 7.0 added
- Label deleted (
Needs backport to 7.0)
- Status changed from In Review to Resolved
- Label Needs backport to 7.0 added
- Label deleted (
Needs backport to 7.0)
- Status changed from Resolved to Closed
Also available in: Atom
PDF