Actions
Bug #8172
closedflow: mac addresses are not swapped
Affected Versions:
Effort:
Difficulty:
Label:
Description
When a flow is reversed, MAC addresses are not swapped, resulting in the same MAC appearing in both "src_macs" and "dest_macs".
Below is an example showing the issue (tested using the PCAP from suricata-verify/tests/dns-reversed-tcp-1).
"src_macs" should contain only "d8:cb:8a:ed:a1:46", and "dest_macs" should contain only "00:15:17:0d:06:f7".
To reproduce the issue, enabling stream.midstream and eve.ethernet is sufficient.
{
"timestamp": "2017-01-26T21:16:58.270725+0100",
"flow_id": 599807472082420,
"event_type": "flow",
"src_ip": "10.16.1.11",
"src_port": 38195,
"dest_ip": "8.8.4.4",
"dest_port": 53,
"ip_v": 4,
"proto": "TCP",
"app_proto": "dns",
"flow": {
...
},
"ether": {
"dest_macs": [
"d8:cb:8a:ed:a1:46",
"00:15:17:0d:06:f7"
],
"src_macs": [
"00:15:17:0d:06:f7",
"d8:cb:8a:ed:a1:46"
]
},
"tcp": {
...
}
}
Updated by Victor Julien 16 days ago
- Status changed from New to In Review
- Target version changed from TBD to 9.0.0-beta1
- Label Needs backport to 8.0 added
In review: https://github.com/OISF/suricata/pull/14530
@Giuseppe Longo does this issue exist in 7 as well?
Updated by Giuseppe Longo 16 days ago
Victor Julien wrote in #note-1:
In review: https://github.com/OISF/suricata/pull/14530
@Giuseppe Longo does this issue exist in 7 as well?
Yes, it does.
Updated by Philippe Antoine 6 days ago
- Status changed from In Review to Resolved
Updated by Victor Julien about 9 hours ago
- Status changed from Resolved to Closed
Actions