Project

General

Profile

Actions

Bug #3267

closed

Support for tcp.hdr Behavior

Added by Jungho Yoon over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello
I am trying to use tcp.hdr and ipv4.hdr to detect specific packets.
From the TCP header, the source or destination port can be detected normally, but not for the rest.


TEST (I have attached the pcap file.)

I checked the SYN packet and the GET packet after ESTABLISHED.
There are a total of six packets with a destination port of 80. There is one SYN and one GET.

SYN pkt / TCP Header = 0b 58 00 50 83 da a2 70 00 00 00 00 80 c2 20 00 15 5c 00 00 02 04 05 b4 01 03 03 08 01 01 04 02
GET pkt / TCP Header = 0b 58 00 50 83 da a2 71 3e 40 6e 31 50 18 08 05 16 ba 00 00

alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test1 SYN pkt 1"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; tcp.hdr; content:"|80 c2 20 00|"; sid:1; rev:1;)
alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test2 SYN pkt 2"; tcp.hdr; content:"|00 00 00 00|"; offset:8; depth:4; sid:2; rev:1;)
alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test3 GET pkt 1"; content:"GET"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; tcp.hdr; content:"|50 18|"; distance:8; within:2; sid:3; rev:1;)
alert tcp-pkt any any -> any 80 (msg:"tcp.hdr test4 GET pkt 2"; content:"GET"; tcp.hdr; content:"|00 50|"; offset:2; depth:2; sid:4; rev:1;)

pcap reading result (with "-k none")
IPS mode (af-packet)

test1: 3 packets alert
test2: 3 packets alert
test3: no alert
test4: 1 packet alert

test1 and 2 were alerted in every packet even though they should be detected only once. test3 was not detected, but test4 with only the destination port Hex value in the header was detected.
Of course, matching tcp.mss or MSS Hex values works just fine as described in the manual.

Some fields that correspond to existing options in tcp.hdr don't work?

Please tell me the behavior associated with this option

Thank you.


Files

tcphdr_http.pcapng (1.88 KB) tcphdr_http.pcapng Jungho Yoon, 10/19/2019 05:09 PM

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #3341: tcp.hdr content matches don't work as expectedClosedVictor JulienActions
Actions

Also available in: Atom PDF