Project

General

Profile

Actions
Copy link

Bug #2304

closed

vlan tracking fp

Added by Peter Manev over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

In the attached test pcap/rule pair the rule triggers an alert when "vlan.use-for-tracking = true" although it shouldn't as the data packet itself has a different vlan tag.

Files

90000000.tar.xz (1.02 KB) 90000000.tar.xz Peter Manev, 11/28/2017 04:57 PM
Actions
Copy link
 #1

Updated by Victor Julien over 6 years ago

I don't see the issue yet. The rule matches on the HTTP data which is in packet 4. That packet has vlan id 3333.

{"timestamp":"2014-03-29T16:16:08.842677+0100","flow_id":1871789222845365,"pcap_cnt":4,"event_type":"alert","vlan":3333,"src_ip":"10.0.2.15","src_port":38325,"dest_ip":"66.155.11.238","dest_port":55555,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":90000000,"rev":1,"signature":"TCP tests - sid 90000000 , pcap - 90000000 ","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":533,"bytes_toclient":0,"start":"2014-03-29T16:16:08.842677+0100"}}

Actions
Copy link
 #2

Updated by Peter Manev over 6 years ago

  • Status changed from New to Closed

You stand correct.
The rule was wrongly generated and was missing "flow:from_server,established;" or similar. Like that it does not alert - as supposed to for the test.

Actions
Copy link

Also available in: Atom PDF