Bug #151: FP on suricata v0.9.0 with IPv6 icmp large - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #151

closed

FP on suricata v0.9.0 with IPv6 icmp large

Added by rmkml rmkml almost 14 years ago. Updated almost 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Gurvinder Singh

Target version:

0.9.1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hi,
Congratulations for last big update!
I have a FP with joigned pcap:
05/07/10-10:24:36.208132 [**] [1:499:4] ICMP Large ICMP Packet [**] [Classification: Potentially Bad Traffic] [Priority: 3] {58} fe80::5d53:83c4:e3f2:8927:143 -> ff02::16:0
I resend old signature id 499:
alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800; classtype:bad-unknown; sid:499; rev:4;)
Anyone confirm this FP please? (alert with suricata v0.9.0 and suricata v0.8.2)
Of course, snort v2.8.6(.0) with ipv6 enabled not firing (on same pcap and same signatures/rules).
Regards
Rmkml

Files

Download all files

suricataipv6icmplarge1false.pcap (22.4 KB) suricataipv6icmplarge1false.pcap		rmkml rmkml, 05/08/2010 11:19 AM
0001-fixed-the-payload_len-for-icmpv6-bug-151.patch (2.03 KB) 0001-fixed-the-payload_len-for-icmpv6-bug-151.patch		Gurvinder Singh, 05/10/2010 12:42 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #151

FP on suricata v0.9.0 with IPv6 icmp large

Updated by Will Metcalf almost 14 years ago

Updated by Gurvinder Singh almost 14 years ago

Updated by Victor Julien almost 14 years ago