Project

General

Profile

Actions

Bug #151

closed

FP on suricata v0.9.0 with IPv6 icmp large

Added by rmkml rmkml over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Congratulations for last big update!
I have a FP with joigned pcap:
05/07/10-10:24:36.208132 [**] [1:499:4] ICMP Large ICMP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 3] {58} fe80::5d53:83c4:e3f2:8927:143 -> ff02::16:0
I resend old signature id 499:
alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800; classtype:bad-unknown; sid:499; rev:4;)
Anyone confirm this FP please? (alert with suricata v0.9.0 and suricata v0.8.2)
Of course, snort v2.8.6(.0) with ipv6 enabled not firing (on same pcap and same signatures/rules).
Regards
Rmkml


Files

Actions #1

Updated by Will Metcalf over 14 years ago

  • Due date set to 05/12/2010
  • Assignee set to OISF Dev
  • Target version set to 0.9.1
  • Estimated time set to 2.50 h

confirmed. This is a bug. The packet that causes this alert to fire is only 90 bytes total including headers.

Actions #2

Updated by Gurvinder Singh over 14 years ago

The issue was caused by incorrect payload_len value, which was not updated in DecodeICMPv6(). Attached patch fixes the issue.

Actions #3

Updated by Victor Julien over 14 years ago

  • Status changed from Resolved to Closed
  • % Done changed from 90 to 100

Applied, thanks Gurvinder.

Actions

Also available in: Atom PDF