Bug #180
closedno alert with ip proto GRE on suricata today git and v0.9.1
Description
Hi,
On suricata today git (ca7f54de2596f24663f18d079681d8cfa25fe81f) and v0.9.1, I don't have
alert with joigned pcap file.
I have added this simple example sig:
alert ip any any -> any any (msg:"GRE suricata test"; ip_proto:47; classtype:attempted-admin; sid:9431292; rev:1; )
and alert fire of course with snort.
No other sig on my test, no error on suricata.log.
Regards
Rmkml
Files
Updated by Victor Julien over 14 years ago
- Due date set to 06/22/2010
- Assignee set to OISF Dev
- Target version set to 0.9.3
- Estimated time set to 2.50 h
Updated by Victor Julien over 14 years ago
- Due date changed from 06/22/2010 to 06/28/2010
- Assignee changed from OISF Dev to Pablo Rincon
- Target version changed from 0.9.3 to 1.0.0
Updated by Victor Julien over 14 years ago
- Due date changed from 06/28/2010 to 07/06/2010
- Target version changed from 1.0.0 to 1.0.1
Updated by rmkml rmkml over 14 years ago
Hi,
I have tested with git today and same no alert,
But I have a decode-event alert: gre.wrong_version.
It's true on joigned pcap file, but why no alert on simply sigs please?
Regards
Rmkml
Updated by Victor Julien over 14 years ago
It seems the issue is that we set the protocol only for valid packets, while here the gre part of the packet seems invalid. This behavior seems incompatible with Snort.
Updated by Pablo Rincon over 14 years ago
- File 0001-Fix-for-bug-180-check-proto-specified-at-the-IP-hdr.patch 0001-Fix-for-bug-180-check-proto-specified-at-the-IP-hdr.patch added
This patch should fix the issue to be compat, checking the proto at the ip hdr instead of p->proto (that is not set on invalid packets).
Updated by Victor Julien over 14 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Patch applied, thanks Pablo. Commit 70bda6506db84ff33e51520f09b956c3cd648cc1
Fixed the unittests that were broken after this to use the unittest helper functions.