Project

General

Profile

Actions
Copy link

Bug #180

closed
RR PR

no alert with ip proto GRE on suricata today git and v0.9.1

Bug #180: no alert with ip proto GRE on suricata today git and v0.9.1

Added by rmkml rmkml almost 16 years ago. Updated over 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Pablo Rincon
Target version:
1.0.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
On suricata today git (ca7f54de2596f24663f18d079681d8cfa25fe81f) and v0.9.1, I don't have
alert with joigned pcap file.
I have added this simple example sig:
alert ip any any -> any any (msg:"GRE suricata test"; ip_proto:47; classtype:attempted-admin; sid:9431292; rev:1; )
and alert fire of course with snort.
No other sig on my test, no error on suricata.log.
Regards
Rmkml

Files

Download all files
suricataFNipprotogre18jun2010.pcap (91 Bytes) suricataFNipprotogre18jun2010.pcap rmkml rmkml, 06/18/2010 07:38 AM
0001-Fix-for-bug-180-check-proto-specified-at-the-IP-hdr.patch (3.14 KB) 0001-Fix-for-bug-180-check-proto-specified-at-the-IP-hdr.patch This patch should fix the issue to be compat, checking the proto at the ip hdr instead of p->proto (that is not set on invalid packets). Pablo Rincon, 07/23/2010 10:20 AM
Actions
Copy link

Also available in: PDF Atom