Bug #3638
closedTOS IP Keyword not triggering an alert
Description
Ref: https://forum.suricata.io/t/issues-getting-alerting-from-tos-34-46/137
TOS flag does not trigger an alert for DSCP tagged packets when processing pcap. In the pcap below, there are packets tagged with AF41 (34) and EF (46).
https://drive.google.com/file/d/1XpWTWNEtRCKEeXG7Wa3e1Gjkcoa4U4wi/view?usp=drive_open
I can filter this traffic in wireshark:
ip.dsfield.dscp 34 or ip.dsfield.dscp 46
I have tried several rule permutations (see below) to try and get an alert to fire. Can anyone point me in the right direction?
alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:to_server; classtype:not-suspicious; sid:202004; rev:1;)
alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; classtype:not-suspicious; sid:202004; rev:1;)
alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:established; classtype:not-suspicious; sid:202004; rev:1;)