Bug #7414: detect: decoder event rules fail to match on invalid packets - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #7414

closed

detect: decoder event rules fail to match on invalid packets

Added by Arialdo Pucino 22 days ago. Updated 5 days ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

8.0.0-beta1

Affected Versions:

7.0.7

Effort:

Difficulty:

Label:

Description

An ipv4 packet that contains malformed security option with invalid length field (2 bytes) and invalid bytes length (12 bytes) with respect the length field is not detected.
My setup is AlmaLinux 8.10, Suricata 7.0.7 in IPS Layer 2 mode and has the following rule that is never triggered:

drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)

In attach pcap file where the third packet contains the invalid ipv4 security option.

Files

ip_secopt.pcap (310 Bytes) ip_secopt.pcap

Arialdo Pucino, 11/26/2024 10:32 AM

Subtasks 1 (0 open — 1 closed)

Related issues 1 (1 open — 0 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #7414

detect: decoder event rules fail to match on invalid packets

Updated by Victor Julien 15 days ago

Updated by OISF Ticketbot 15 days ago

Updated by OISF Ticketbot 15 days ago

Updated by Victor Julien 14 days ago

Updated by Victor Julien 14 days ago

Updated by Victor Julien 13 days ago

Updated by Juliana Fajardini Reichow 5 days ago