Actions
Bug #2304
closedvlan tracking fp
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
In the attached test pcap/rule pair the rule triggers an alert when "vlan.use-for-tracking = true" although it shouldn't as the data packet itself has a different vlan tag.
Files
Updated by Victor Julien over 6 years ago
I don't see the issue yet. The rule matches on the HTTP data which is in packet 4. That packet has vlan id 3333.
{"timestamp":"2014-03-29T16:16:08.842677+0100","flow_id":1871789222845365,"pcap_cnt":4,"event_type":"alert","vlan":3333,"src_ip":"10.0.2.15","src_port":38325,"dest_ip":"66.155.11.238","dest_port":55555,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":90000000,"rev":1,"signature":"TCP tests - sid 90000000 , pcap - 90000000 ","category":"","severity":3},"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":533,"bytes_toclient":0,"start":"2014-03-29T16:16:08.842677+0100"}}
Updated by Peter Manev over 6 years ago
- Status changed from New to Closed
You stand correct.
The rule was wrongly generated and was missing "flow:from_server,established;" or similar. Like that it does not alert - as supposed to for the test.
Actions