Project

General

Profile

Actions

Bug #3385

closed

fast-log: icmp type prints wrong value (4.1.x)

Added by Victor Julien about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Fast log prints Packet::sp and Packet::dp, but these are unions:

    union {
        Port sp;
        // icmp type and code of this packet
        struct {
            uint8_t type;
            uint8_t code;
        } icmp_s;
    };
    union {
        Port dp;
        // icmp type and code of the expected counterpart (for flows)
        struct {
            uint8_t type;
            uint8_t code;
        } icmp_d;
    };

So printing Packet::sp or dp for ICMP does not give the correct results.

E.g. from et-sigs:

10/18/2019-13:06:01.032939  [Drop] [**] [1:2200076:2] SURICATA ICMPv4 invalid
checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
{ICMP} 60.191.38.77:771 -> 192.168.69.246:0


Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #3266: fast-log: icmp type prints wrong valueClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF