https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022019-03-04T10:32:26ZOpen Information Security FoundationSuricata - Feature #2860: Suricata doesn't detect part of IKEv2 traffichttps://redmine.openinfosecfoundation.org/issues/2860?journal_id=113342019-03-04T10:32:26ZVictor Julienvictor@inliniac.net
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/11334/diff?detail_id=12022">diff</a>)</li></ul><p>Can you share a pcap of this traffic to reproduce?</p> Suricata - Feature #2860: Suricata doesn't detect part of IKEv2 traffichttps://redmine.openinfosecfoundation.org/issues/2860?journal_id=113362019-03-04T11:08:29ZMichal Vymazal
<ul><li><strong>File</strong> <a href="/attachments/1629">IKEv2-UDP-4500-IKE_SA_INIT-2.pcap</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1629/IKEv2-UDP-4500-IKE_SA_INIT-2.pcap">IKEv2-UDP-4500-IKE_SA_INIT-2.pcap</a> added</li></ul><p>Here is the pcap file with IKEv2 traffic on UDP 4500.</p>
<p>This traffic is not detected by the IKEv2 dashboard and also not detected with this rule:</p>
<p>alert ikev2 any any -> any any (msg:"IKEv2 IKE_SA_INIT Responder 21 20 22 20";content:"|21 20 22 20|"; classtype:protocol-command-decode; sid:500072; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)<br />alert ikev2 any any -> any any (msg:"IKEv2 IKE_SA_INIT Initiator 28 20 22 08 Next Payload: Nonce";content:"|28 20 22 08|"; classtype:protocol-command-decode; sid:500073; rev:1;metadata:created_at 2019_02_11, updated_at 2019_02_11;)</p>
<p>When I turn the IKEv2 traffic back to the UDP 500 port, the IKEv2 traffic will be detected with IKEv2 dashboard and also will be detected with this two suricata rules.</p> Suricata - Feature #2860: Suricata doesn't detect part of IKEv2 traffichttps://redmine.openinfosecfoundation.org/issues/2860?journal_id=113392019-03-04T13:55:19ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> set to <i>Pierre Chifflier</i></li></ul><p>Hi Pierre, could you check this out?</p> Suricata - Feature #2860: Suricata doesn't detect part of IKEv2 traffichttps://redmine.openinfosecfoundation.org/issues/2860?journal_id=113682019-03-06T18:14:28ZVictor Julienvictor@inliniac.net
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Target version</strong> set to <i>5.0beta1</i></li></ul> Suricata - Feature #2860: Suricata doesn't detect part of IKEv2 traffichttps://redmine.openinfosecfoundation.org/issues/2860?journal_id=118662019-04-25T11:11:18ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>5.0beta1</i> to <i>TBD</i></li></ul> Suricata - Feature #2860: Suricata doesn't detect part of IKEv2 traffichttps://redmine.openinfosecfoundation.org/issues/2860?journal_id=308072023-11-09T14:32:58ZPhilippe Antoine
<ul></ul><p>Confirmed with suricata 7 : suricata does not skip the 4 bytes (value 0) identified as <code>UDP Encapsulation of IPsec Packets</code> per Wireshark</p>