Project

General

Profile

Actions
Copy link

Bug #4571

open

Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation

Added by Kirill Krotov almost 4 years ago. Updated 15 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Affected Versions:
6.0.3, git master
Effort:
Difficulty:
Label:

Description

Suricata do able detect packets by conent in case of incapsulation. Detection by content works in following cases:

  • IPv4
  • IPv6
  • IPv4 over IPv6
  • IPv6 over IPv4
  • IPv6 over IPv6

But it doesn't work with tunnels IPv4 over IPv4 and it seems for me like a bug.

I have used following rule:

alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)

With set of pcap files.

Files

Download all files
ipv6.pcap (126 Bytes) ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv6_over_ipv6.pcap (166 Bytes) ipv6_over_ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv6_over_ipv4.pcap (146 Bytes) ipv6_over_ipv4.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4.pcap (106 Bytes) ipv4.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4_over_ipv6.pcap (146 Bytes) ipv4_over_ipv6.pcap Kirill Krotov, 08/02/2021 02:17 PM
ipv4_over_ipv4.pcap (166 Bytes) ipv4_over_ipv4.pcap this doesn't work Kirill Krotov, 08/02/2021 02:17 PM

Related issues 3 (3 open0 closed)

Related to Suricata - Bug #7725: decode/ipv4: missing ip-in-ip case handlingResolvedJuliana Fajardini ReichowActions
Related to Suricata - Task #7734: decode: review if any decoders are missing for IPv4 or IPv6NewOISF DevActions
Related to Suricata - Bug #7752: decode: no parent packet flow for ip-in-ipv6ResolvedJuliana Fajardini ReichowActions
Actions
Copy link
 #1

Updated by Philippe Antoine about 2 years ago

  • Assignee set to OISF Dev
  • Target version set to 8.0.0-beta1
Actions
Copy link
 #2

Updated by Victor Julien 5 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Priority changed from Normal to Low
  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions
Copy link
 #3

Updated by Philippe Antoine about 2 months ago

  • Related to Bug #7725: decode/ipv4: missing ip-in-ip case handling added
Actions
Copy link
 #4

Updated by Philippe Antoine about 2 months ago

@Juliana Fajardini Reichow is this the same as #7725 ?

Actions
Copy link
 #5

Updated by Juliana Fajardini Reichow about 2 months ago ยท Edited

Philippe Antoine wrote in #note-4:

@Juliana Fajardini Reichow is this the same as #7725 ?

Looks like it, I'll see if it makes sense to add some more SV tests with the pcap here.

Actions
Copy link
 #6

Updated by Victor Julien about 2 months ago

  • Priority changed from Low to Normal
  • Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Actions
Copy link
 #7

Updated by Juliana Fajardini Reichow about 2 months ago

SV PR: https://github.com/OISF/suricata-verify/pull/2546

Seems to me that this one is closed by #7725

Actions
Copy link
 #8

Updated by Juliana Fajardini Reichow about 2 months ago

  • Related to Task #7734: decode: review if any decoders are missing for IPv4 or IPv6 added
Actions
Copy link
 #9

Updated by Juliana Fajardini Reichow about 2 months ago

  • Related to Bug #7752: decode: no parent packet flow for ip-in-ipv6 added
Actions
Copy link
 #10

Updated by Juliana Fajardini Reichow 20 days ago

  • Subject changed from Unable to trigger rule by content in case of IPv4 in IPv4 incapsulation to Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation
Actions
Copy link
 #11

Updated by Philippe Antoine 15 days ago

  • Status changed from Assigned to Feedback
Actions
Copy link

Also available in: Atom PDF