Bug #151
closedFP on suricata v0.9.0 with IPv6 icmp large
Description
Hi,
Congratulations for last big update!
I have a FP with joigned pcap:
05/07/10-10:24:36.208132 [**] [1:499:4] ICMP Large ICMP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 3] {58} fe80::5d53:83c4:e3f2:8927:143 -> ff02::16:0
I resend old signature id 499:
alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800; classtype:bad-unknown; sid:499; rev:4;)
Anyone confirm this FP please? (alert with suricata v0.9.0 and suricata v0.8.2)
Of course, snort v2.8.6(.0) with ipv6 enabled not firing (on same pcap and same signatures/rules).
Regards
Rmkml
Files
Updated by Will Metcalf almost 14 years ago
- Due date set to 05/12/2010
- Assignee set to OISF Dev
- Target version set to 0.9.1
- Estimated time set to 2.50 h
confirmed. This is a bug. The packet that causes this alert to fire is only 90 bytes total including headers.
Updated by Gurvinder Singh almost 14 years ago
- File 0001-fixed-the-payload_len-for-icmpv6-bug-151.patch 0001-fixed-the-payload_len-for-icmpv6-bug-151.patch added
- Status changed from New to Resolved
- Assignee changed from OISF Dev to Gurvinder Singh
- % Done changed from 0 to 90
The issue was caused by incorrect payload_len value, which was not updated in DecodeICMPv6(). Attached patch fixes the issue.
Updated by Victor Julien almost 14 years ago
- Status changed from Resolved to Closed
- % Done changed from 90 to 100
Applied, thanks Gurvinder.