Bug #180
closed
no alert with ip proto GRE on suricata today git and v0.9.1
Added by rmkml rmkml over 14 years ago.
Updated over 14 years ago.
Description
Hi,
On suricata today git (ca7f54de2596f24663f18d079681d8cfa25fe81f) and v0.9.1, I don't have
alert with joigned pcap file.
I have added this simple example sig:
alert ip any any -> any any (msg:"GRE suricata test"; ip_proto:47; classtype:attempted-admin; sid:9431292; rev:1; )
and alert fire of course with snort.
No other sig on my test, no error on suricata.log.
Regards
Rmkml
Files
- Due date set to 06/22/2010
- Assignee set to OISF Dev
- Target version set to 0.9.3
- Estimated time set to 2.50 h
- Due date changed from 06/22/2010 to 06/28/2010
- Assignee changed from OISF Dev to Pablo Rincon
- Target version changed from 0.9.3 to 1.0.0
- Due date changed from 06/28/2010 to 07/06/2010
- Target version changed from 1.0.0 to 1.0.1
Hi,
I have tested with git today and same no alert,
But I have a decode-event alert: gre.wrong_version.
It's true on joigned pcap file, but why no alert on simply sigs please?
Regards
Rmkml
It seems the issue is that we set the protocol only for valid packets, while here the gre part of the packet seems invalid. This behavior seems incompatible with Snort.
This patch should fix the issue to be compat, checking the proto at the ip hdr instead of p->proto (that is not set on invalid packets).
- Status changed from New to Closed
- % Done changed from 0 to 100
Patch applied, thanks Pablo. Commit 70bda6506db84ff33e51520f09b956c3cd648cc1
Fixed the unittests that were broken after this to use the unittest helper functions.
Also available in: Atom
PDF