Project

General

Profile

Actions
Copy link

Bug #5689

closed
JM PA

eve: community id computed wrong for tcp and ipv4 when src_ip == dest_ip

Bug #5689: eve: community id computed wrong for tcp and ipv4 when src_ip == dest_ip

Added by jia mo over 3 years ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.1
Affected Versions:
8.0.0
Effort:
Difficulty:
Label:

Description

I check the community id by using the go package https://github.com/satta/gommunityid and https://github.com/corelight/community-id-spec

test case found when src_ip and dest_ip was same. The community was different from the go package.

After check the community spec https://github.com/corelight/community-id-spec I don't found any wrong in both suricata and go implement.

for example for seed 1:

suricata got {
"src_ip": "192.168.0.254",
"src_port": 56162,
"dest_ip": "192.168.0.254",
"dest_port": 3306,
"proto": "TCP",
"community_id": "1:ywLin4Fwaq7bqlf6YRbgyWyGBLE=",
}

and the go implement got: '1:IJQHtzXv/tXud3FtXIufkDsfEd4='
and the python version from got: 1216281025.136169 | 1:IJQHtzXv/tXud3FtXIufkDsfEd4= | 192.168.0.254 192.168.0.254 6 56162 3306

the go code:


func TestFlowTupleOrder(t *testing.T) {
    cid, _ := gommunityid.GetCommunityIDByVersion(1, 1)
    ft := gommunityid.MakeFlowTupleTCP(net.ParseIP("192.168.0.254"), net.ParseIP("192.168.0.254"),
        56162, 3306)
    CommunityId := cid.CalcBase64(ft)
    fmt.Println(CommunityId)
}

I think both go and python got same id but suricata different. May be there is some code bug in surcata.

attachment is the pcap I am using.

Files

mysql_debug.pcap (6.41 KB) mysql_debug.pcap jia mo, 11/16/2022 12:13 PM

Subtasks 1 (0 open1 closed)

Bug #7823: community id computed wrong for tcp and ipv4 when src_ip == dest_ip (7.0.x backport)ClosedPhilippe AntoineActions

JM Updated by jia mo over 3 years ago Actions
Copy link
 #1

  • Subject changed from community id computed wrong for tcp and ipv4 when src_ip and dest_ip was equal to community id computed wrong for tcp and ipv4 when src_ip == dest_ip
  • Description updated (diff)

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #2

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
 #3

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #4

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #5

  • Target version changed from 8.0.0-rc1 to 9.0.0-beta1

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #6

  • Affected Versions 8.0.0 added

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #7

  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from 9.0.0-beta1 to 8.0.1
  • Label Needs backport to 7.0 added

OT Updated by OISF Ticketbot 9 months ago Actions
Copy link
 #8

  • Subtask #7823 added

OT Updated by OISF Ticketbot 9 months ago Actions
Copy link
 #9

  • Label deleted (Needs backport to 7.0)

JI Updated by Jason Ish 8 months ago Actions
Copy link
 #10

  • Status changed from In Review to Resolved

PA Updated by Philippe Antoine 8 months ago Actions
Copy link
 #11

  • Status changed from Resolved to Closed

VJ Updated by Victor Julien 7 months ago Actions
Copy link
 #12

  • Subject changed from community id computed wrong for tcp and ipv4 when src_ip == dest_ip to eve: community id computed wrong for tcp and ipv4 when src_ip == dest_ip
Actions
Copy link

Also available in: PDF Atom