Actions
Bug #7414
closeddetect: decoder event rules fail to match on invalid packets
Affected Versions:
Effort:
Difficulty:
Label:
Description
An ipv4 packet that contains malformed security option with invalid length field (2 bytes) and invalid bytes length (12 bytes) with respect the length field is not detected.
My setup is AlmaLinux 8.10, Suricata 7.0.7 in IPS Layer 2 mode and has the following rule that is never triggered:
drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)In attach pcap file where the third packet contains the invalid ipv4 security option.
Files
Updated by Victor Julien about 1 year ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 8.0.0-beta1
- Label Needs backport to 7.0 added
Confirmed, it is a general failure of matching decoder event rules on invalid packets.
Updated by OISF Ticketbot about 1 year ago
- Label deleted (
Needs backport to 7.0)
Updated by Victor Julien about 1 year ago
- Related to Feature #7433: eve/alert: enrich decoder event rules added
Updated by Victor Julien about 1 year ago
- Status changed from Assigned to In Review
Updated by Victor Julien about 1 year ago
- Status changed from In Review to Resolved
Updated by Juliana Fajardini Reichow about 1 year ago
- Subject changed from Malformed ipv4 security option is not detected to detect: decoder event rules fail to match on invalid packets
- Status changed from Resolved to Closed
Actions