Project

General

Profile

Actions

Bug #2576

closed

filemd5 is not fired in some cases when there are invalid packets

Added by kai jiang over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Run suricata using below command with the attachment:
suricata -r ./temp1.pcap -c /etc/suricata/suricata.yaml

where there is only one signature configured:
alert ip any any -> any any (msg:"filemd5";filemd5: md5list; sid: 3; rev: 1;)

and the md5list file only contains one line:
090fe607a5be1228362614ccaa088577

When use the original pcap file temp1.pcap, filemd5 alert is not fired. Wireshark shows this file has two invalid packets 13 and 14.
Then remove packet 13 and 14 manually, and save it to temp6.pcap. Re-run: suricata -r ./temp6.pcap -c /etc/suricata/suricata.yaml. This time filemd5 alert can be fired.

It seems suricata have some issues handling these invalid packets, and make filemd5 not fired


Files

temp1.pcap (6.01 KB) temp1.pcap filemd5 not fire kai jiang, 08/13/2018 10:08 AM
temp6.pcap (4.49 KB) temp6.pcap filemd5 fired kai jiang, 08/13/2018 10:20 AM
Actions

Also available in: Atom PDF