Project

General

Profile

Actions
Copy link

Bug #2576

closed

filemd5 is not fired in some cases when there are invalid packets

Added by kai jiang over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.0.6
Affected Versions:
4.0.5
Effort:
Difficulty:
Label:

Description

Run suricata using below command with the attachment:
suricata -r ./temp1.pcap -c /etc/suricata/suricata.yaml

where there is only one signature configured:
alert ip any any -> any any (msg:"filemd5";filemd5: md5list; sid: 3; rev: 1;)

and the md5list file only contains one line:
090fe607a5be1228362614ccaa088577

When use the original pcap file temp1.pcap, filemd5 alert is not fired. Wireshark shows this file has two invalid packets 13 and 14.
Then remove packet 13 and 14 manually, and save it to temp6.pcap. Re-run: suricata -r ./temp6.pcap -c /etc/suricata/suricata.yaml. This time filemd5 alert can be fired.

It seems suricata have some issues handling these invalid packets, and make filemd5 not fired

Files

Download all files
temp1.pcap (6.01 KB) temp1.pcap filemd5 not fire kai jiang, 08/13/2018 10:08 AM
temp6.pcap (4.49 KB) temp6.pcap filemd5 fired kai jiang, 08/13/2018 10:20 AM
Actions
Copy link
 #1

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 4.0.6
  • Affected Versions 4.0.5 added
  • Affected Versions deleted (4.0.6)
Actions
Copy link
 #2

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
Actions
Copy link

Also available in: Atom PDF