Bug #179

no alert with decode-event:ipv4.* suricata today git

Added by rmkml rmkml almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:06/16/2010
Priority:NormalDue date:06/22/2010
Assignee:Victor Julien% Done:

100%

Category:-Estimated time:0.00 hour
Target version:1.0.0

Description

Hi,
On suricata today git (d6709b0961ee972c0402edf0f080ebed590d9581), I don't have alert with joigned pcap file.
I have added theses sig but no alert:
alert ip any any -> any any (msg:"1"; decode-event:ipv4.pkt_too_small; sid:1; rev:1;)
alert ip any any -> any any (msg:"2"; decode-event:ipv4.hlen_too_small; sid:2; rev:1;)
alert ip any any -> any any (msg:"3"; decode-event:ipv4.iplen_smaller_than_hlen; sid:3; rev:1;)
alert ip any any -> any any (msg:"4"; decode-event:ipv4.trunc_pkt; sid:4; rev:1;)
alert ip any any -> any any (msg:"5"; decode-event:ipv4.opt_invalid; sid:5; rev:1;)
alert ip any any -> any any (msg:"6"; decode-event:ipv4.opt_invalid_len; sid:6; rev:1;)
alert ip any any -> any any (msg:"7"; decode-event:ipv4.opt_malformed; sid:7; rev:1;)
alert ip any any -> any any (msg:"8"; decode-event:ipv4.opt_pad_required; sid:8; rev:1;)
alert ip any any -> any any (msg:"9"; decode-event:ipv4.opt_eol_required; sid:9; rev:1;)
alert ip any any -> any any (msg:"10"; decode-event:ipv4.opt_duplicate; sid:10; rev:1;)
alert ip any any -> any any (msg:"11"; decode-event:ipv4.opt_unknown; sid:11; rev:1;)
alert ip any any -> any any (msg:"12"; decode-event:ipv4.wrong_ip_version; sid:12; rev:1;)
...
Regards
Rmkml

suricatawrongiplen.pcap (100 Bytes) rmkml rmkml, 06/16/2010 03:18 PM

Associated revisions

Revision d41b5645
Added by Victor Julien almost 4 years ago

Make sure decoder event rules are inspected even if the packet is invalid and has no addesses or proto. Update fast log and alert debug log to display the alerts. Fixes #179.

History

#1 Updated by Victor Julien almost 4 years ago

  • Due date set to 06/22/2010
  • Assignee set to Victor Julien
  • Target version set to 0.9.3
  • Estimated time set to 0.00

It seems that, because the ipv4 packet is invalid, the detection code can't lookup the proper sgh by protocol.

#2 Updated by Victor Julien almost 4 years ago

  • Target version changed from 0.9.3 to 1.0.0

#3 Updated by Victor Julien almost 4 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Fixed in current master.

Also available in: Atom PDF