Bug #209
closed
regression v100 and git today cause two (same?) FP
Added by rmkml rmkml almost 14 years ago.
Updated almost 14 years ago.
Description
Hi,
I have two FP with two sigs on joigned pcap file:
alert udp any any <> any 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; classtype:misc-activity; sid:525; rev:9;)
alert udp any 0 -> 224.0.0.0/4 5353 (msg:"suricata fp"; classtype:bad-unknown; sid:9037079; rev:1;)
Pcap file contains only one packet with IGMP protocol.
Please Check.
Regards
Rmkml
Files
- Due date set to 07/20/2010
- Assignee set to OISF Dev
- Target version set to 1.0.1
- Estimated time set to 2.50 h
problem verified these sigs should not fire but they do...
cat fast.log
06/29/10-08:17:39.364224 [**] [1:9037079:1] suricata fp [**] [Classification: Potentially Bad Traffic] [Priority: 3] {2} 10.50.1.191:0 -> 224.0.0.2:0
06/29/10-08:17:39.364224 [**] [1:525:9] BAD-TRAFFIC udp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] {2} 10.50.1.191:0 -> 224.0.0.2:0
06/29/10-08:17:39.364224 [**] [1:525:9] BAD-TRAFFIC udp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] {2} 10.50.1.191:0 -> 224.0.0.2:0
coz@coz-desktop:~/downloads/oisfnew$ tcpdump -nnn -r suricatafpigmpmulticastnotudpsrcport0.pcap
reading from file suricatafpigmpmulticastnotudpsrcport0.pcap, link-type EN10MB (Ethernet)
03:17:39.364224 IP 10.50.1.191 > 224.0.0.2: igmp leave 224.0.0.251
- Assignee changed from OISF Dev to Victor Julien
- Status changed from New to Closed
- % Done changed from 0 to 100
Fixed in the current git master, commit 689d05b10bd92cbb5a7a4277c2592b95e48dd302.
Thanks for the report rmkml!
Also available in: Atom
PDF