Actions
Bug #7414
closeddetect: decoder event rules fail to match on invalid packets
Affected Versions:
Effort:
Difficulty:
Label:
Description
An ipv4 packet that contains malformed security option with invalid length field (2 bytes) and invalid bytes length (12 bytes) with respect the length field is not detected.
My setup is AlmaLinux 8.10, Suricata 7.0.7 in IPS Layer 2 mode and has the following rule that is never triggered:
drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)In attach pcap file where the third packet contains the invalid ipv4 security option.
Files
Updated by Victor Julien 15 days ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 8.0.0-beta1
- Label Needs backport to 7.0 added
Confirmed, it is a general failure of matching decoder event rules on invalid packets.
Updated by Victor Julien 14 days ago
- Related to Feature #7433: eve/alert: enrich decoder event rules added
Updated by Victor Julien 14 days ago
- Status changed from Assigned to In Review
Updated by Victor Julien 12 days ago
- Status changed from In Review to Resolved
Updated by Juliana Fajardini Reichow 5 days ago
- Subject changed from Malformed ipv4 security option is not detected to detect: decoder event rules fail to match on invalid packets
- Status changed from Resolved to Closed
Actions