Project

General

Profile

Actions
Copy link

Bug #2928

open

alerts on icmp signatures in 4.0.x and 4.1.x

Added by Andrey Rybakov about 5 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
4.1rc1
Effort:
Difficulty:
Label:

Description

Hello.
I`ve tested simple signature "alert icmp any any -> any any (msg:"MyAlert"; sid:1000000; rev:1;)"
on ping traffic (4 requests, 4 replies - in attached pcap)

In different versions i have different results:
4.0.0-beta1, 4.0.(1-7) = 8 alerts (four in each direction)
4.1.0-beta1 = 8 alerts
4.1.0-rc1, 4.1.(0-3) = 2 alerts (one in each direction)

So suricata start alert icmp as flow (only for one packet in each direction) between 4.1.0-beta1 and 4.1.0-rc1
probably this was caused by commit c662383b5
I think it is bug

Files

icmp_8_packets.pcap (744 Bytes) icmp_8_packets.pcap Andrey Rybakov, 04/09/2019 03:36 PM
Actions
Copy link
 #1

Updated by Andreas Herz almost 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD

I can confirm that this issue is present in 4.1.4 and 5.0.0-beta1 as well.

Actions
Copy link
 #2

Updated by Victor Julien over 4 years ago

The lack of any specific matches combined with the new flow handling causes this to be inspected as a IP-Only rule: once per flow direction.

Actions
Copy link

Also available in: Atom PDF