Project

General

Profile

Actions

Bug #846

closed

FP on IP frag and sig use udp port 0

Added by Victor Julien over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Reported by rmkml on oisf-devel:

ok testing Suricata with joigned pcap file contains one IP fragmented packet without UDP layer like this (tshark output):

...
Internet Protocol Version 4, Src: 192.168.1.2 (192.168.1.2), Dst: 192.168.1.1 (192.168.1.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00
        0000 00.. = Default (0x00)
        .... ..00 = Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 1500
    Identification: 0x1061 (4193)
    Flags: 0x01 (More Fragments)
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..1. .... = More fragments: Set
    Fragment offset: 1480
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0xc0a3 [correct]
        [Good: True]
        [Bad: False]
    Source: 192.168.1.2 (192.168.1.2)
    Destination: 192.168.1.1 (192.168.1.1)
Data (1480 bytes)
0000  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
...

Testing with this simply very old sig:
alert udp any any <> any 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; classtype:misc-activity; sid:525; rev:1;)

product Suricata FP alert:
05/06/2013-23:49:28.176296 [**] [1:525:1] BAD-TRAFFIC udp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.1.2:0 -> 192.168.1.1:0

Files

suri1.pcap (1.62 KB) suri1.pcap Victor Julien, 07/03/2013 06:19 AM

Subtasks 1 (0 open1 closed)

Bug #847: FP on IP frag and sig use udp port 0 (master)ClosedVictor Julien07/03/2013Actions
Actions

Also available in: Atom PDF