Project

General

Profile

Actions

Bug #5379

closed

detect/udp: different detection from rules when UDP/TCP header is broken

Added by Juliana Fajardini Reichow over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

As reported in the forum: https://forum.suricata.io/t/different-detection-from-rules-when-udp-header-is-broken/2527

The rule

alert udp $EXTERNAL_NET :1024 <> $HOME_NET 0 (msg:"UDP Port 0"; sid:1;)

Generates alert with broken UDP packets (pcap attached):

05/30/2022-12:34:15.240177  [**] [1:1:0] UDP Port 0 [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.100.102:0 -> 192.0.2.1:0


Files

udpport0.pcap (160 Bytes) udpport0.pcap Juliana Fajardini Reichow, 06/01/2022 09:30 PM

Subtasks 1 (0 open1 closed)

Bug #5795: detect/udp: different detection from rules when UDP/TCP header is broken (6.0.x backport)ClosedShivani BhardwajActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5693: decode: Padded packet to minimal Ethernet length marked with invalid length eventClosedLukas SismisActions
Actions #1

Updated by Juliana Fajardini Reichow over 2 years ago

The user who reported the issue said that a similar error also occurred with TCP traffic.

Actions #2

Updated by Juliana Fajardini Reichow over 2 years ago

  • Subject changed from detect/udp: different detection from rules when UDP header is broken to detect/udp: different detection from rules when UDP/TCP header is broken
Actions #3

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #4

Updated by Victor Julien about 2 years ago

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev
Actions #5

Updated by Shivani Bhardwaj about 2 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
Actions #6

Updated by Shivani Bhardwaj almost 2 years ago

  • Related to Bug #5693: decode: Padded packet to minimal Ethernet length marked with invalid length event added
Actions #7

Updated by Shivani Bhardwaj almost 2 years ago

  • Status changed from Assigned to In Review
Actions #8

Updated by Shivani Bhardwaj almost 2 years ago

  • Label Needs backport to 6.0 added
Actions #10

Updated by Shivani Bhardwaj almost 2 years ago

  • Subtask #5795 added
Actions #11

Updated by Shivani Bhardwaj almost 2 years ago

  • Label deleted (Needs backport to 6.0)
Actions #12

Updated by Shivani Bhardwaj almost 2 years ago

  • Status changed from In Review to Resolved
Actions #13

Updated by Victor Julien almost 2 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF