Project

General

Custom queries

Profile

Actions
Copy link

Bug #4571

open

Unable to trigger rule by content in case of IPv4 in IPv4 incapsulation

Added by Kirill Krotov over 3 years ago. Updated about 1 month ago.

Status:
Assigned
Priority:
Low
Assignee:
Victor Julien
Target version:
8.0.0-rc1
Affected Versions:
6.0.3, git master
Effort:
Difficulty:
Label:

Description

Suricata do able detect packets by conent in case of incapsulation. Detection by content works in following cases:

  • IPv4
  • IPv6
  • IPv4 over IPv6
  • IPv6 over IPv4
  • IPv6 over IPv6

But it doesn't work with tunnels IPv4 over IPv4 and it seems for me like a bug.

I have used following rule:

alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)

With set of pcap files.

Files

Download all files
ipv6.pcap (126 Bytes) ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv6_over_ipv6.pcap (166 Bytes) ipv6_over_ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv6_over_ipv4.pcap (146 Bytes) ipv6_over_ipv4.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4.pcap (106 Bytes) ipv4.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4_over_ipv6.pcap (146 Bytes) ipv4_over_ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4_over_ipv4.pcap (166 Bytes) ipv4_over_ipv4.pcap this doesn't work Kirill Krotov, 08/02/2021 02:17 PM
Actions
Copy link
 #1

Updated by Philippe Antoine almost 2 years ago

  • Assignee set to OISF Dev
  • Target version set to 8.0.0-beta1
Actions
Copy link
 #2

Updated by Victor Julien about 1 month ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Priority changed from Normal to Low
  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions
Copy link

Also available in: Atom PDF