Project

General

Profile

Actions
Copy link

Bug #4571

open
KK VJ

Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation

Bug #4571: Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation

Added by Kirill Krotov over 4 years ago. Updated 9 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Affected Versions:
6.0.3, git main
Effort:
Difficulty:
Label:

Description

Suricata do able detect packets by conent in case of incapsulation. Detection by content works in following cases:

  • IPv4
  • IPv6
  • IPv4 over IPv6
  • IPv6 over IPv4
  • IPv6 over IPv6

But it doesn't work with tunnels IPv4 over IPv4 and it seems for me like a bug.

I have used following rule:

alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)

With set of pcap files.

Files

Download all files
ipv6.pcap (126 Bytes) ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv6_over_ipv6.pcap (166 Bytes) ipv6_over_ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv6_over_ipv4.pcap (146 Bytes) ipv6_over_ipv4.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4.pcap (106 Bytes) ipv4.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4_over_ipv6.pcap (146 Bytes) ipv4_over_ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4_over_ipv4.pcap (166 Bytes) ipv4_over_ipv4.pcap this doesn't work Kirill Krotov, 08/02/2021 02:17 PM

Related issues 3 (1 open2 closed)

Related to Suricata - Bug #7725: decode/ipv4: missing ip-in-ip case handlingClosedJuliana Fajardini ReichowActions
Related to Suricata - Task #7734: decode: review if any decoders are missing for IPv4 or IPv6NewOISF DevActions
Related to Suricata - Bug #7752: decode: no parent packet flow for ip-in-ipv6ClosedJuliana Fajardini ReichowActions

PA Updated by Philippe Antoine almost 3 years ago Actions
Copy link
 #1

  • Assignee set to OISF Dev
  • Target version set to 8.0.0-beta1

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #2

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Priority changed from Normal to Low
  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

PA Updated by Philippe Antoine 10 months ago Actions
Copy link
 #3

  • Related to Bug #7725: decode/ipv4: missing ip-in-ip case handling added

PA Updated by Philippe Antoine 10 months ago Actions
Copy link
 #4

@Juliana Fajardini Reichow is this the same as #7725 ?

JF Updated by Juliana Fajardini Reichow 10 months ago ยท Edited Actions
Copy link
 #5

Philippe Antoine wrote in #note-4:

@Juliana Fajardini Reichow is this the same as #7725 ?

Looks like it, I'll see if it makes sense to add some more SV tests with the pcap here.

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #6

  • Priority changed from Low to Normal
  • Target version changed from 8.0.0-rc1 to 9.0.0-beta1

JF Updated by Juliana Fajardini Reichow 10 months ago Actions
Copy link
 #7

SV PR: https://github.com/OISF/suricata-verify/pull/2546

Seems to me that this one is closed by #7725

JF Updated by Juliana Fajardini Reichow 10 months ago Actions
Copy link
 #8

  • Related to Task #7734: decode: review if any decoders are missing for IPv4 or IPv6 added

JF Updated by Juliana Fajardini Reichow 10 months ago Actions
Copy link
 #9

  • Related to Bug #7752: decode: no parent packet flow for ip-in-ipv6 added

JF Updated by Juliana Fajardini Reichow 9 months ago Actions
Copy link
 #10

  • Subject changed from Unable to trigger rule by content in case of IPv4 in IPv4 incapsulation to Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #11

  • Status changed from Assigned to Feedback
Actions
Copy link

Also available in: PDF Atom