Project

General

Profile

Actions
Copy link

Bug #6864

closed

detect: ipopts keyword false positive

Added by Jeff Lucovsky about 1 year ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

The ipopts keyword may be misfiring.

https://forum.suricata.io/t/suricata-cant-define-ip-options/4494/7 describes a situation where the OP requested an alert when strict source route occurs but found that the rule was creating an alert with a packet having the stream id IP option.

The rule used by the OP: 

alert ip any any -> any any (ipopts: ssrr; msg: "issue"; rev: 1; sid:1;)

Files

84b58b808f9f81c09728cb923a2c0eb0.pcap (730 Bytes) 84b58b808f9f81c09728cb923a2c0eb0.pcap Jeff Lucovsky, 03/18/2024 12:50 PM

Subtasks 1 (0 open1 closed)

Bug #6882: Detect: ipopts keyword misfires (7.0.x backport)ClosedJeff LucovskyActions
Actions
Copy link

Also available in: Atom PDF