Project

General

Profile

Actions

Bug #7414

closed

detect: decoder event rules fail to match on invalid packets

Added by Arialdo Pucino about 1 month ago. Updated 14 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

An ipv4 packet that contains malformed security option with invalid length field (2 bytes) and invalid bytes length (12 bytes) with respect the length field is not detected.
My setup is AlmaLinux 8.10, Suricata 7.0.7 in IPS Layer 2 mode and has the following rule that is never triggered:

drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)

In attach pcap file where the third packet contains the invalid ipv4 security option.


Files

ip_secopt.pcap (310 Bytes) ip_secopt.pcap Arialdo Pucino, 11/26/2024 10:32 AM

Subtasks 1 (0 open1 closed)

Bug #7432: detect: decoder event rules fail to match on invalid packets (7.0.x backport)ClosedVictor JulienActions

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #7433: eve/alert: enrich decoder event rulesResolvedVictor JulienActions
Actions

Also available in: Atom PDF