Project

General

Profile

Actions

Bug #2576

closed

filemd5 is not fired in some cases when there are invalid packets

Added by kai jiang over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Run suricata using below command with the attachment:
suricata -r ./temp1.pcap -c /etc/suricata/suricata.yaml

where there is only one signature configured:
alert ip any any -> any any (msg:"filemd5";filemd5: md5list; sid: 3; rev: 1;)

and the md5list file only contains one line:
090fe607a5be1228362614ccaa088577

When use the original pcap file temp1.pcap, filemd5 alert is not fired. Wireshark shows this file has two invalid packets 13 and 14.
Then remove packet 13 and 14 manually, and save it to temp6.pcap. Re-run: suricata -r ./temp6.pcap -c /etc/suricata/suricata.yaml. This time filemd5 alert can be fired.

It seems suricata have some issues handling these invalid packets, and make filemd5 not fired


Files

temp1.pcap (6.01 KB) temp1.pcap filemd5 not fire kai jiang, 08/13/2018 10:08 AM
temp6.pcap (4.49 KB) temp6.pcap filemd5 fired kai jiang, 08/13/2018 10:20 AM
Actions #1

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 4.0.6
  • Affected Versions 4.0.5 added
  • Affected Versions deleted (4.0.6)
Actions #2

Updated by Victor Julien about 6 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
Actions

Also available in: Atom PDF