Bug #5689: community id computed wrong for tcp and ipv4 when src_ip == dest_ip - Suricata - Open Information Security Foundation

Bug #5689

I check the community id by using the go package https://github.com/satta/gommunityid and https://github.com/corelight/community-id-spec 

 test case found when src_ip and dest_ip was same. The community was different from the go package. 

 After check the community spec https://github.com/corelight/community-id-spec I don't found any wrong in both suricata and go implement. 

 for example for *seed 1:* 

 suricata got  
 { 
     "src_ip": "192.168.0.254", 
     "src_port": 56162, 
     "dest_ip": "192.168.0.254", 
     "dest_port": 3306, 
     "proto": "TCP", 
     "community_id": "1:ywLin4Fwaq7bqlf6YRbgyWyGBLE=", 
 } 

 and the go implement got: '1:IJQHtzXv/tXud3FtXIufkDsfEd4=' 
 and the python version from got: 1216281025.136169 | 1:IJQHtzXv/tXud3FtXIufkDsfEd4= | 192.168.0.254 192.168.0.254 6 56162 3306 


 the go code: 
 <pre><code class="go"> 

 func TestFlowTupleOrder(t *testing.T) { 
	 cid, _ := gommunityid.GetCommunityIDByVersion(1, 1) 
	 ft := gommunityid.MakeFlowTupleTCP(net.ParseIP("192.168.0.254"), net.ParseIP("192.168.0.254"), 
		 56162, 3306) 
	 CommunityId := cid.CalcBase64(ft) 
	 fmt.Println(CommunityId) 
 } 

 </code></pre> 

 I think both go and python got same id but suricata different. May be there is some code bug in surcata. 

 attachment is the pcap I am using.

Back

Project

General

Profile

Suricata

Bug #5689