Bug #209

regression v100 and git today cause two (same?) FP

Added by rmkml rmkml almost 4 years ago. Updated over 3 years ago.

Status:ClosedStart date:07/13/2010
Priority:NormalDue date:07/20/2010
Assignee:Victor Julien% Done:

100%

Category:-Estimated time:2.50 hours
Target version:1.0.1

Description

Hi,
I have two FP with two sigs on joigned pcap file:
alert udp any any <> any 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; classtype:misc-activity; sid:525; rev:9;)
alert udp any 0 -> 224.0.0.0/4 5353 (msg:"suricata fp"; classtype:bad-unknown; sid:9037079; rev:1;)
Pcap file contains only one packet with IGMP protocol.
Please Check.
Regards
Rmkml

suricatafpigmpmulticastnotudpsrcport0.pcap (104 Bytes) rmkml rmkml, 07/13/2010 03:35 PM

History

#1 Updated by Victor Julien almost 4 years ago

  • Due date set to 07/20/2010
  • Assignee set to OISF Dev
  • Target version set to 1.0.1
  • Estimated time set to 2.50

#2 Updated by Will Metcalf over 3 years ago

problem verified these sigs should not fire but they do...
cat fast.log
06/29/10-08:17:39.364224 [**] [1:9037079:1] suricata fp [**] [Classification: Potentially Bad Traffic] [Priority: 3] {2} 10.50.1.191:0 -> 224.0.0.2:0
06/29/10-08:17:39.364224 [**] [1:525:9] BAD-TRAFFIC udp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] {2} 10.50.1.191:0 -> 224.0.0.2:0
06/29/10-08:17:39.364224 [**] [1:525:9] BAD-TRAFFIC udp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] {2} 10.50.1.191:0 -> 224.0.0.2:0
coz@coz-desktop:~/downloads/oisfnew$ tcpdump -nnn -r suricatafpigmpmulticastnotudpsrcport0.pcap
reading from file suricatafpigmpmulticastnotudpsrcport0.pcap, link-type EN10MB (Ethernet)
03:17:39.364224 IP 10.50.1.191 > 224.0.0.2: igmp leave 224.0.0.251

#3 Updated by Victor Julien over 3 years ago

  • Assignee changed from OISF Dev to Victor Julien

#4 Updated by Victor Julien over 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Fixed in the current git master, commit 689d05b10bd92cbb5a7a4277c2592b95e48dd302.

Thanks for the report rmkml!

Also available in: Atom PDF