Project

General

Profile

Actions

Bug #5689

open

community id computed wrong for tcp and ipv4 when src_ip == dest_ip

Added by jia mo about 2 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I check the community id by using the go package https://github.com/satta/gommunityid and https://github.com/corelight/community-id-spec

test case found when src_ip and dest_ip was same. The community was different from the go package.

After check the community spec https://github.com/corelight/community-id-spec I don't found any wrong in both suricata and go implement.

for example for seed 1:

suricata got {
"src_ip": "192.168.0.254",
"src_port": 56162,
"dest_ip": "192.168.0.254",
"dest_port": 3306,
"proto": "TCP",
"community_id": "1:ywLin4Fwaq7bqlf6YRbgyWyGBLE=",
}

and the go implement got: '1:IJQHtzXv/tXud3FtXIufkDsfEd4='
and the python version from got: 1216281025.136169 | 1:IJQHtzXv/tXud3FtXIufkDsfEd4= | 192.168.0.254 192.168.0.254 6 56162 3306

the go code:


func TestFlowTupleOrder(t *testing.T) {
    cid, _ := gommunityid.GetCommunityIDByVersion(1, 1)
    ft := gommunityid.MakeFlowTupleTCP(net.ParseIP("192.168.0.254"), net.ParseIP("192.168.0.254"),
        56162, 3306)
    CommunityId := cid.CalcBase64(ft)
    fmt.Println(CommunityId)
}

I think both go and python got same id but suricata different. May be there is some code bug in surcata.

attachment is the pcap I am using.


Files

mysql_debug.pcap (6.41 KB) mysql_debug.pcap jia mo, 11/16/2022 12:13 PM
Actions

Also available in: Atom PDF