Project

General

Profile

Actions
Copy link

Support #8328

open

ICMP error events are not reported

Added by Rajkumar K 1 day ago. Updated about 12 hours ago.

Status:
New
Priority:
Normal
Assignee:
-
Affected Versions:
8.0.2
Label:

Description

I see suricata is not generating events for ICMP error messages due to the below code,

But I need to generate events for ICMP error messages.

if (PacketIsICMPv4(p)) {
if (ICMPV4_IS_ERROR_MSG(p->icmp_s.type)) {
return false;
}
}

#define ICMPV4_IS_ERROR_MSG(type) \
((type) ICMP_DEST_UNREACH || (type) ICMP_SOURCE_QUENCH || (type) ICMP_REDIRECT || \
(type) ICMP_TIME_EXCEEDED || (type) == ICMP_PARAMETERPROB)

Is this done intentionally?

Files

clipboard-202602261706-kzxli.png (87.4 KB) clipboard-202602261706-kzxli.png Rajkumar K, 02/26/2026 11:36 AM
Actions
Copy link
 #1

Updated by Victor Julien about 13 hours ago

Can you share a test case?

Actions
Copy link
 #2

Updated by Rajkumar K about 12 hours ago

Victor Julien wrote in #note-1:

Can you share a test case?

Its a plain ICMP error, which is not associated with any ICMP requests as this is received on reaching tcp/udp port.

Running suricata, with only this packet in the pcap does not produce any event because of the above code

Actions
Copy link

Also available in: Atom PDF