Actions
Bug #6864
closedDetect: ipopts keyword misfires
Affected Versions:
Effort:
Difficulty:
Label:
Description
The ipopts keyword may be misfiring.
https://forum.suricata.io/t/suricata-cant-define-ip-options/4494/7 describes a situation where the OP requested an alert when strict source route occurs but found that the rule was creating an alert with a packet having the stream id IP option.
The rule used by the OP:
alert ip any any -> any any (ipopts: ssrr; msg: "issue"; rev: 1; sid:1;)
Files
Updated by Jeff Lucovsky 9 months ago
The misfiring is occurring because
- When the ipopts keyword is parsed, an enum value is added to the detection context
- When looking for a match, the match logic treats the detection context value as a bit field
- False alerts occur because the check uses a bit field and an enum value. The bit field is from the packet
Updated by Jeff Lucovsky 9 months ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Jeff Lucovsky
Updated by Jeff Lucovsky 8 months ago
- Status changed from In Review to Resolved
- Label Needs backport to 7.0 added
Updated by Philippe Antoine 8 months ago
- Status changed from Resolved to Closed
Actions