Bug #4571 open
KK
VJ
Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation
Added by Kirill Krotov almost 5 years ago.
Updated 10 months ago.
Description
Suricata do able detect packets by conent in case of incapsulation. Detection by content works in following cases:
IPv4
IPv6
IPv4 over IPv6
IPv6 over IPv4
IPv6 over IPv6
But it doesn't work with tunnels IPv4 over IPv4 and it seems for me like a bug.
I have used following rule:
alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
With set of pcap files.
Files
Assignee set to OISF Dev Target version set to 8.0.0-beta1
Status changed from New to Assigned Assignee changed from OISF Dev to Victor Julien Priority changed from Normal to Low Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Related to Bug #7725 : decode/ipv4: missing ip-in-ip case handling
Priority changed from Low to Normal Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Related to Task #7734 : decode: review if any decoders are missing for IPv4 or IPv6
Related to Bug #7752 : decode: no parent packet flow for ip-in-ipv6
Subject changed from Unable to trigger rule by content in case of IPv4 in IPv4 incapsulation to Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation
Status changed from Assigned to Feedback
Also available in: PDF Atom