Actions
Support #2059
closedLots of "zero length padN option" alerts
Affected Versions:
Label:
Description
I get a lot of these alerts on my network, and have seen similar reports:
{"timestamp":"2017-03-05T03:55:34.575193-0700","flow_id":150194715281113,"in_iface":"igb0","event_type":"alert","src_ip":"fe80:0000:0000:0000:d001:7598:5a92:22bd","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0016","proto":"IPV6-ICMP","icmp_type":143,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":2200094,"rev":1,"signature":"SURICATA zero length padN option","category":"","severity":3},"payload":"AAAAAQMAAAD\/AgAAAAAAAA==","payload_printable":"................","stream":0,"packet":"MzMAAAAWADBIy3yQht1gAAAAACQAAf6AAAAAAAAA0AF1mFqSIr3\/AgAAAAAAAAAAAAAAAAAWOgAFAgAAAQCPAK4dAAAAAQMAAAD\/AgAAAAAAAAAAAAAAAQAD","packet_info":{"linktype":1}}
{"timestamp":"2017-03-05T04:17:23.273473-0700","flow_id":2100960356812271,"in_iface":"igb3","event_type":"alert","src_ip":"fe80:0000:0000:0000:c63d:c7ff:fe4c:60a5","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0016","proto":"IPV6-ICMP","icmp_type":143,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":2200094,"rev":1,"signature":"SURICATA zero length padN option","category":"","severity":3},"payload":"AAAAAgQAAAD\/BQAAAAAAAAAAAAAAAQADBAAAAP8CAAAAAAAA","payload_printable":"....................................","stream":0,"packet":"MzMAAAAWxD3HTGClht1gAAAAADgAAf6AAAAAAAAAxj3H\/\/5MYKX\/AgAAAAAAAAAAAAAAAAAWOgAFAgAAAQCPAH+5AAAAAgQAAAD\/BQAAAAAAAAAAAAAAAQADBAAAAP8CAAAAAAAAAAAAAAABAAI=","packet_info":{"linktype":1}}
{"timestamp":"2017-03-05T09:15:59.510634-0700","flow_id":709207443605647,"in_iface":"igb0","event_type":"alert","src_ip":"fe80:0000:0000:0000:d9ed:a9b1:57ef:2d16","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0016","proto":"IPV6-ICMP","icmp_type":143,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":2200094,"rev":1,"signature":"SURICATA zero length padN option","category":"","severity":3},"payload":"AAAAAQMAAAD\/AgAAAAAAAA==","payload_printable":"................","stream":0,"packet":"MzMAAAAW1L7ZSLkXht1gAAAAACQAAf6AAAAAAAAA2e2psVfvLRb\/AgAAAAAAAAAAAAAAAAAWOgAFAgAAAQCPAGhiAAAAAQMAAAD\/AgAAAAAAAAAAAAAAAQAD","packet_info":{"linktype":1}}
{"timestamp":"2017-03-05T10:17:36.029426-0700","flow_id":2100959625900786,"in_iface":"igb3","event_type":"alert","src_ip":"fe80:0000:0000:0000:c63d:c7ff:fe4c:60a5","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0016","proto":"IPV6-ICMP","icmp_type":143,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":2200094,"rev":1,"signature":"SURICATA zero length padN option","category":"","severity":3},"payload":"AAAAAgMAAAD\/AgAAAAAAAAAAAAAAAQACAwAAAP8FAAAAAAAA","payload_printable":"....................................","stream":0,"packet":"MzMAAAAWxD3HTGClht1gAAAAADgAAf6AAAAAAAAAxj3H\/\/5MYKX\/AgAAAAAAAAAAAAAAAAAWOgAFAgAAAQCPAIG5AAAAAgMAAAD\/AgAAAAAAAAAAAAAAAQACAwAAAP8FAAAAAAAAAAAAAAABAAM=","packet_info":{"linktype":1}}
This is with version 3.1.2_2 from pfSense.
Updated by Andreas Herz about 7 years ago
Well zero padN len is not forbidden by the RFC but it's strange. So you can read it as a hint but if you think the traffic is valid like that you might just disable that rule.
Updated by Andreas Herz almost 7 years ago
- Assignee set to Orion Poplawski
- Target version set to TBD
Actions