Actions
Bug #2576
closedfilemd5 is not fired in some cases when there are invalid packets
Affected Versions:
Effort:
Difficulty:
Label:
Description
Run suricata using below command with the attachment:
suricata -r ./temp1.pcap -c /etc/suricata/suricata.yaml
where there is only one signature configured:
alert ip any any -> any any (msg:"filemd5";filemd5: md5list; sid: 3; rev: 1;)
and the md5list file only contains one line:
090fe607a5be1228362614ccaa088577
When use the original pcap file temp1.pcap, filemd5 alert is not fired. Wireshark shows this file has two invalid packets 13 and 14.
Then remove packet 13 and 14 manually, and save it to temp6.pcap. Re-run: suricata -r ./temp6.pcap -c /etc/suricata/suricata.yaml. This time filemd5 alert can be fired.
It seems suricata have some issues handling these invalid packets, and make filemd5 not fired
Files
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 4.0.6
- Affected Versions 4.0.5 added
- Affected Versions deleted (
4.0.6)
Updated by Victor Julien about 6 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal
Actions