Bug #4571
open
Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation
Added by Kirill Krotov almost 4 years ago.
Updated 15 days ago.
Description
Suricata do able detect packets by conent in case of incapsulation. Detection by content works in following cases:
- IPv4
- IPv6
- IPv4 over IPv6
- IPv6 over IPv4
- IPv6 over IPv6
But it doesn't work with tunnels IPv4 over IPv4 and it seems for me like a bug.
I have used following rule:
alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;)
With set of pcap files.
Files
Related issues
3 (3 open — 0 closed)
- Assignee set to OISF Dev
- Target version set to 8.0.0-beta1
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Priority changed from Normal to Low
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
- Related to Bug #7725: decode/ipv4: missing ip-in-ip case handling added
- Priority changed from Low to Normal
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
- Related to Task #7734: decode: review if any decoders are missing for IPv4 or IPv6 added
- Related to Bug #7752: decode: no parent packet flow for ip-in-ipv6 added
- Subject changed from Unable to trigger rule by content in case of IPv4 in IPv4 incapsulation to Unable to trigger rule by content in case of IPv4 in IPv4 encapsulation
- Status changed from Assigned to Feedback
Also available in: Atom
PDF