Actions
Bug #7892
openicmp detection corner case with dns app_proto
Affected Versions:
Effort:
Difficulty:
Label:
Description
Recently reviewing a few different cases and stumbled on interesting ICMP pcap trace where the proto is ICMP but app_proto is DNS.
It seems that the first 2 rules trigger and the third one does not , while a user would expect it to trigger as the alert itself already has app_proto dns
alert icmp $HOME_NET any -> any any (msg:"TEST1 ICMP outbound unusual size and pattern Destination Unreachable"; itype:3; threshold: type both, track by_src, count 1, seconds 120; classtype:unknown; sid:1000123; rev:1; metadata: created_at 2025_09_11, updated_at 2025_09_11; target:dest_ip;) alert icmp $HOME_NET any -> any any (msg:"TEST2 ICMP outbound unusual size and pattern Destination Unreachable"; itype:3; dsize:>120; content:!"blahblah"; threshold: type both, track by_src, count 1, seconds 120; classtype:unknown; sid:1000124; rev:1; metadata: created_at 2025_09_11, updated_at 2025_09_11; target:dest_ip;) alert icmp $HOME_NET any -> any any (msg:"TEST3 ICMP outbound unusual size and pattern Destination Unreachable"; itype:3; dsize:>120; content:!"blahblah"; app-layer-protocol:!dns;threshold: type both, track by_src, count 1, seconds 120; classtype:unknown; sid:1000125; rev:1; metadata: created_at 2025_09_11, updated_at 2025_09_11; target:dest_ip;)
Original pcap is from here:
https://www.malware-traffic-analysis.net/2022/02/16/index.html
Please also find attached a single small ICMP pcap that can reproduce the issue.
Also attached is an alert JSON example.
To make the matter more interesting...
We have an alert JSON (attached) with proto ICMP and app_proto DNS when the full pcap is read.(https://www.malware-traffic-analysis.net/2022/02/16/index.html)
But the app_proto and flow are actually missing from the alert JSON when we read just read the extracted offending small pcap. (that is on top of the third rule still not triggering)
Suricata command and version:
sudo suricata -S wip-icmp-1.rules -l logs/ -k none -r icmp-dns.pcap -v ; jq -r .event_type logs/eve.json | sort | uniq -c |sort -rn ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn
Notice: suricata: This is Suricata version 8.0.1-dev (49629f7cb 2025-08-22) running in USER mode [LogVersion:suricata.c:1208]
Info: cpu: CPUs/cores online: 16 [UtilCpuPrintSummary:util-cpu.c:149]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2795]
Info: exception-policy: master exception-policy set to: auto [ExceptionPolicyMasterParse:util-exception-policy.c:269]
Info: logopenfile: fast output device (regular) initialized: fast.log [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: logopenfile: eve-log output device (regular) initialized: eve.json [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: logopenfile: stats output device (regular) initialized: stats.log [SCConfLogOpenGeneric:util-logopenfile.c:648]
Info: detect: 1 rule files processed. 3 rules successfully loaded, 0 rules failed, 0 rules skipped [SigLoadSignatures:detect-engine-loader.c:473]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1015]
Info: detect: 3 signatures processed. 0 are IP-only rules, 2 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only [SigPrepareStage1:detect-engine-build.c:1810]
Notice: mpm-hs: Rule group caching - loaded: 1 newly cached: 0 total cacheable: 1 [SCHSCacheRuleset:util-mpm-hs.c:852]
Info: pcap: Starting file run for /home/pevma/Downloads/icmp-dns.pcap [ReceivePcapFileLoop:source-pcap-file.c:206]
Notice: threads: Threads created -> RX: 1 W: 16 FM: 1 FR: 1 Engine started. [TmThreadWaitOnThreadRunning:tm-threads.c:1982]
Info: pcap: pcap file /home/pevma/Downloads/icmp-dns.pcap end of file reached (pcap err code 0) [PcapFileDispatch:source-pcap-file-helper.c:163]
Notice: suricata: Signal Received. Stopping engine. [SuricataMainLoop:suricata.c:2931]
Info: suricata: time elapsed 0.096s [SCPrintElapsedTime:suricata.c:1228]
Notice: pcap: read 1 file, 4 packets, 798 bytes [ReceivePcapFileThreadExitStats:source-pcap-file.c:414]
Info: counters: Alerts: 4 [StatsLogSummary:counters.c:869]
4 alert
1 stats
2 "TEST2 ICMP outbound unusual size and pattern Destination Unreachable"
2 "TEST1 ICMP outbound unusual size and pattern Destination Unreachable"
Suricata version:
suricata --build-info This is Suricata version 8.0.1-dev (49629f7cb 2025-08-22) Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64 SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2 Atomic intrinsics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 14.3.0, C version 201112 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: _Thread_local compiled with LibHTP v8.0.1-dev Suricata Configuration: AF_PACKET support: yes AF_XDP support: no DPDK support: no eBPF support: no XDP support: no PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no Npcap support: Unix socket enabled: yes Detection enabled: yes Libmagic support: yes libjansson support: yes hiredis support: no hiredis async with libevent: no PCRE jit: yes GeoIP2 support: yes JA3 support: yes JA4 support: yes Hyperscan support: yes Hwloc support: no Libnet support: yes liblz4 support: yes Landlock support: yes Systemd support: yes Rust strict mode: no Rust compiler path: /home/pevma/.cargo/bin/rustc Rust compiler version: rustc 1.85.1 (4eb161250 2025-03-15) Cargo path: /home/pevma/.cargo/bin/cargo Cargo version: cargo 1.85.1 (d73d2caf9 2024-12-31) Python support: yes Python path: /home/pevma/.pyenv/shims/python3 Install suricatactl: yes Install suricatasc: yes Install suricata-update: no, not bundled Profiling enabled: no Profiling locks enabled: no Profiling rules enabled: no Plugin support (experimental): yes DPDK Bond PMD: no Plugins: nDPI: no Development settings: Coccinelle / spatch: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Fuzz targets enabled: no Generic build parameters: Installation prefix: /opt/suritest-master Configuration directory: /opt/suritest-master/etc/suricata/ Log directory: /opt/suritest-master/var/log/suricata/ --prefix /opt/suritest-master --sysconfdir /opt/suritest-master/etc --localstatedir /opt/suritest-master/var --datarootdir /opt/suritest-master/share Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / g++ (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -fPIC -DOS_LINUX -std=c11 -march=native PCAP_CFLAGS -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include SECCFLAGS
Files
No data to display
Actions