Project

General

Profile

Actions
Copy link

Bug #3638

closed

TOS IP Keyword not triggering an alert

Added by Brian Carlin over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
6.0.0beta1
Affected Versions:
5.0.2
Effort:
Difficulty:
Label:

Description

Ref: https://forum.suricata.io/t/issues-getting-alerting-from-tos-34-46/137
TOS flag does not trigger an alert for DSCP tagged packets when processing pcap. In the pcap below, there are packets tagged with AF41 (34) and EF (46).

https://drive.google.com/file/d/1XpWTWNEtRCKEeXG7Wa3e1Gjkcoa4U4wi/view?usp=drive_open

I can filter this traffic in wireshark:
ip.dsfield.dscp 34 or ip.dsfield.dscp 46

I have tried several rule permutations (see below) to try and get an alert to fire. Can anyone point me in the right direction?

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:to_server; classtype:not-suspicious; sid:202004; rev:1;)

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; classtype:not-suspicious; sid:202004; rev:1;)

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:established; classtype:not-suspicious; sid:202004; rev:1;)

Actions
Copy link
 #1

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 6.0.0beta1
Actions
Copy link
 #2

Updated by Jeff Lucovsky over 4 years ago

  • Status changed from Assigned to In Review
Actions
Copy link
 #3

Updated by Jeff Lucovsky over 4 years ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF