Project

General

Profile

Actions

Bug #990

closed

FP on Suricata dns ttl 0

Added by rmkml rmkml over 10 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

Congratulations for new Suricata v1.4.6 version !

ok I'm found a FP with joigned pcap and this old sig please:

bad-traffic.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)

suricata fast.log output:
10/03/2013-12:33:42.042308 [**] [1:1321:8] BAD-TRAFFIC 0 ttl [**] [Classification: Misc activity] [Priority: 3] {HOPOPT} 0000:0000:0463:6f64:6504:6d73:646e:096d:0 -> 6963:726f:736f:6674:0363:6f6d:0000:0100:0

but joigned pcap are dns/udp, tcpdump output: (it's a good dns request, not fuzzing)
12:33:42.042308 IP (tos 0x0, ttl 64, id 34529, offset 0, flags [DF], proto UDP (17), length 69)
192.168.69.156.49379 > 192.38.129.234.53: [udp sum ok] 28390+ A? code.msdn.microsoft.com. (41)
E..E....kq..E..&.....5.1..n............code.msdn microsoft.com.....

Please check.

fp with suricata v1.4.5
fp with suricata v1.4.6
fp with suricata v2.0beta1

Regards
@rmkml rmkml
http://etplc.org


Files

suricatadnsttl0fp.pcap (228 Bytes) suricatadnsttl0fp.pcap rmkml rmkml, 10/04/2013 03:13 AM
Actions #1

Updated by Victor Julien over 10 years ago

  • Target version set to TBD
Actions #2

Updated by Andreas Herz over 7 years ago

  • Assignee set to OISF Dev
Actions #3

Updated by Victor Julien over 7 years ago

  • Status changed from New to Closed
  • Assignee deleted (OISF Dev)
  • Target version deleted (TBD)

I retested this and it no longer alerts.

Actions

Also available in: Atom PDF