Actions
Bug #160
closedThresholds don't seem to be honored for icmp traffic.
Affected Versions:
Effort:
Difficulty:
Label:
Description
When processing the attached pcap suricata generates 57789 events where snort only generates 2 one for each src of the traffic 192.168.1.44 and 192.168.1.48 contained in the pcap . It appears as if this happens because suricata does not honor thresholds for icmp traffic.
*****************************************************************************************************************************************oisf alerted more times than snort sid: 2003292 oisf:57789 snort:2
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Outbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003292; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Allaple; sid:2003292; rev:7;)
Files
Updated by Will Metcalf almost 14 years ago
Just as an update it looks like we were missing detection to this sig previous to the following commit. So thresholding for ICMP may have been broken for some time.
commit 21a89e22de34fe116f519460f871ca9813087bba
Author: Gurvinder Singh <gurvindersinghdahiya@gmail.com>
Date: Fri May 14 16:18:45 2010 +0200
fixed the segv caused by null payload due to incorrect icmpv6 decodingUpdated by Victor Julien almost 14 years ago
- Status changed from New to Closed
- Assignee changed from OISF Dev to Victor Julien
- % Done changed from 0 to 100
- Estimated time changed from 2.50 h to 0.00 h
Fixed in next master.
Actions