Bug #179
closedno alert with decode-event:ipv4.* suricata today git
Description
Hi,
On suricata today git (d6709b0961ee972c0402edf0f080ebed590d9581), I don't have alert with joigned pcap file.
I have added theses sig but no alert:
alert ip any any -> any any (msg:"1"; decode-event:ipv4.pkt_too_small; sid:1; rev:1;)
alert ip any any -> any any (msg:"2"; decode-event:ipv4.hlen_too_small; sid:2; rev:1;)
alert ip any any -> any any (msg:"3"; decode-event:ipv4.iplen_smaller_than_hlen; sid:3; rev:1;)
alert ip any any -> any any (msg:"4"; decode-event:ipv4.trunc_pkt; sid:4; rev:1;)
alert ip any any -> any any (msg:"5"; decode-event:ipv4.opt_invalid; sid:5; rev:1;)
alert ip any any -> any any (msg:"6"; decode-event:ipv4.opt_invalid_len; sid:6; rev:1;)
alert ip any any -> any any (msg:"7"; decode-event:ipv4.opt_malformed; sid:7; rev:1;)
alert ip any any -> any any (msg:"8"; decode-event:ipv4.opt_pad_required; sid:8; rev:1;)
alert ip any any -> any any (msg:"9"; decode-event:ipv4.opt_eol_required; sid:9; rev:1;)
alert ip any any -> any any (msg:"10"; decode-event:ipv4.opt_duplicate; sid:10; rev:1;)
alert ip any any -> any any (msg:"11"; decode-event:ipv4.opt_unknown; sid:11; rev:1;)
alert ip any any -> any any (msg:"12"; decode-event:ipv4.wrong_ip_version; sid:12; rev:1;)
...
Regards
Rmkml
Files
Updated by Victor Julien almost 14 years ago
- Due date set to 06/22/2010
- Assignee set to Victor Julien
- Target version set to 0.9.3
- Estimated time set to 0.00 h
It seems that, because the ipv4 packet is invalid, the detection code can't lookup the proper sgh by protocol.
Updated by Victor Julien almost 14 years ago
- Target version changed from 0.9.3 to 1.0.0
Updated by Victor Julien almost 14 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Fixed in current master.