Actions
Bug #4571
openUnable to trigger rule by content in case of IPv4 in IPv4 incapsulation
Affected Versions:
Effort:
Difficulty:
Label:
Description
Suricata do able detect packets by conent in case of incapsulation. Detection by content works in following cases:
- IPv4
- IPv6
- IPv4 over IPv6
- IPv6 over IPv4
- IPv6 over IPv6
But it doesn't work with tunnels IPv4 over IPv4 and it seems for me like a bug.
I have used following rule:
alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
With set of pcap files.
Files
Updated by Philippe Antoine almost 2 years ago
- Assignee set to OISF Dev
- Target version set to 8.0.0-beta1
Updated by Victor Julien 3 months ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Priority changed from Normal to Low
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Updated by Philippe Antoine 2 days ago
- Related to Bug #7725: decode/ipv4: missing ip-in-ip case handling added
Updated by Philippe Antoine 2 days ago
@Juliana Fajardini Reichow is this the same as #7725 ?
Updated by Juliana Fajardini Reichow 2 days ago ยท Edited
Philippe Antoine wrote in #note-4:
@Juliana Fajardini Reichow is this the same as #7725 ?
Looks like it, I'll see if it makes sense to add some more SV tests with the pcap here.
Updated by Victor Julien 2 days ago
- Priority changed from Low to Normal
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Updated by Juliana Fajardini Reichow 2 days ago
SV PR: https://github.com/OISF/suricata-verify/pull/2546
Seems to me that this one is closed by #7725
Actions