Project

General

Profile

Actions

Bug #3638

closed

TOS IP Keyword not triggering an alert

Added by Brian Carlin over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Ref: https://forum.suricata.io/t/issues-getting-alerting-from-tos-34-46/137
TOS flag does not trigger an alert for DSCP tagged packets when processing pcap. In the pcap below, there are packets tagged with AF41 (34) and EF (46).

https://drive.google.com/file/d/1XpWTWNEtRCKEeXG7Wa3e1Gjkcoa4U4wi/view?usp=drive_open

I can filter this traffic in wireshark:
ip.dsfield.dscp 34 or ip.dsfield.dscp 46

I have tried several rule permutations (see below) to try and get an alert to fire. Can anyone point me in the right direction?

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:to_server; classtype:not-suspicious; sid:202004; rev:1;)

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; classtype:not-suspicious; sid:202004; rev:1;)

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:established; classtype:not-suspicious; sid:202004; rev:1;)

Actions

Also available in: Atom PDF