Bug #10
closedflags:0; alerts when it shoudn't
Description
when checking for no tcp flags being set via flags:0; via flags:0; the engine alerts even when flags are set. I have attached a patch that has a failing unittest displaying this issue.
#rules file
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"No flags set"; flags:0; sid:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SYN flag set"; flags:S,12; sid:2;)
#tcpdump output of pcap
07:46:00.378379 IP 192.168.77.1.46820 > 192.168.77.191.8888: Flags [S], seq 2098534692, win 2048, options [mss 1460], length 0
#output of log file
11/16/09-13:46:00.378379 [**] [1:1:0] No flags set [**] [Classification: fixme] [Priority: 3] {6} 192.168.77.1:46820 -> 192.168.77.191:8888
11/16/09-13:46:00.378379 [**] [1:2:0] SYN flag set [**] [Classification: fixme] [Priority: 3] {6} 192.168.77.1:46820 -> 192.168.77.191:8888
Files
Updated by Victor Julien about 15 years ago
- Assignee changed from OISF Dev to Breno Silva
Updated by Breno Silva about 15 years ago
- File 0001-Flags-Issue.patch 0001-Flags-Issue.patch added
- Due date set to 11/20/2009
- % Done changed from 0 to 100
The bug occurs because of AND operation with flags.
The switch logic fails when process 0 in flags rule keyword.
Sending a patch to fix it.
Updated by Victor Julien almost 15 years ago
- Estimated time changed from 0.50 h to 1.00 h
Updated by Victor Julien almost 15 years ago
- Status changed from New to Resolved
Patches applied, thanks guys.
Updated by Victor Julien almost 15 years ago
- Status changed from Resolved to Closed