Bug #5689
opencommunity id computed wrong for tcp and ipv4 when src_ip == dest_ip
Description
I check the community id by using the go package https://github.com/satta/gommunityid and https://github.com/corelight/community-id-spec
test case found when src_ip and dest_ip was same. The community was different from the go package.
After check the community spec https://github.com/corelight/community-id-spec I don't found any wrong in both suricata and go implement.
for example for seed 1:
suricata got
{
"src_ip": "192.168.0.254",
"src_port": 56162,
"dest_ip": "192.168.0.254",
"dest_port": 3306,
"proto": "TCP",
"community_id": "1:ywLin4Fwaq7bqlf6YRbgyWyGBLE=",
}
and the go implement got: '1:IJQHtzXv/tXud3FtXIufkDsfEd4='
and the python version from got: 1216281025.136169 | 1:IJQHtzXv/tXud3FtXIufkDsfEd4= | 192.168.0.254 192.168.0.254 6 56162 3306
the go code:
func TestFlowTupleOrder(t *testing.T) {
cid, _ := gommunityid.GetCommunityIDByVersion(1, 1)
ft := gommunityid.MakeFlowTupleTCP(net.ParseIP("192.168.0.254"), net.ParseIP("192.168.0.254"),
56162, 3306)
CommunityId := cid.CalcBase64(ft)
fmt.Println(CommunityId)
}
I think both go and python got same id but suricata different. May be there is some code bug in surcata.
attachment is the pcap I am using.
Files
Updated by jia mo about 2 years ago
- Subject changed from community id computed wrong for tcp and ipv4 when src_ip and dest_ip was equal to community id computed wrong for tcp and ipv4 when src_ip == dest_ip
- Description updated (diff)
Updated by Shivani Bhardwaj almost 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1