Project

General

Profile

Actions
Copy link

Bug #5379

closed
JF SB

detect/udp: different detection from rules when UDP/TCP header is broken

Bug #5379: detect/udp: different detection from rules when UDP/TCP header is broken

Added by Juliana Fajardini Reichow almost 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
7.0.0-rc1
Affected Versions:
6.0.5
Effort:
Difficulty:
Label:

Description

As reported in the forum: https://forum.suricata.io/t/different-detection-from-rules-when-udp-header-is-broken/2527

The rule 

alert udp $EXTERNAL_NET :1024 <> $HOME_NET 0 (msg:"UDP Port 0"; sid:1;)

Generates alert with broken UDP packets (pcap attached):

05/30/2022-12:34:15.240177  [**] [1:1:0] UDP Port 0 [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.100.102:0 -> 192.0.2.1:0

Files

udpport0.pcap (160 Bytes) udpport0.pcap Juliana Fajardini Reichow, 06/01/2022 09:30 PM

Subtasks 1 (0 open1 closed)

Bug #5795: detect/udp: different detection from rules when UDP/TCP header is broken (6.0.x backport)ClosedShivani BhardwajActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5693: decode: Padded packet to minimal Ethernet length marked with invalid length eventClosedLukas SismisActions

JF Updated by Juliana Fajardini Reichow almost 4 years ago Actions
Copy link
 #1

The user who reported the issue said that a similar error also occurred with TCP traffic.

JF Updated by Juliana Fajardini Reichow almost 4 years ago Actions
Copy link
 #2

  • Subject changed from detect/udp: different detection from rules when UDP header is broken to detect/udp: different detection from rules when UDP/TCP header is broken

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #3

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #4

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #5

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #6

  • Related to Bug #5693: decode: Padded packet to minimal Ethernet length marked with invalid length event added

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #7

  • Status changed from Assigned to In Review

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #8

  • Label Needs backport to 6.0 added

SB Updated by Shivani Bhardwaj about 3 years ago Actions
Copy link
 #10

  • Subtask #5795 added

SB Updated by Shivani Bhardwaj about 3 years ago Actions
Copy link
 #11

  • Label deleted (Needs backport to 6.0)

SB Updated by Shivani Bhardwaj about 3 years ago Actions
Copy link
 #12

  • Status changed from In Review to Resolved

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
 #13

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: PDF Atom