[Oisf-devel] FP with suricata yesterday git

Mon Jun 7 01:58:58 UTC 2010

We are doing partial protocol decode for this i.e. decoding the udp
traffic sent back in the unreachable message. With that said it
appears as if there is a bug because we should only be alerting on
packet 3 if the dport in the packet that caused the sig to fire was 53
but in this case it's sport.  Seems as if something is mixed up
somewhere. Please open a ticket.  Thanks RMKML!!!!!

Regards,

Will

SCSigOrderSignatures: Total Signatures to be processed by
thesigordering module: 1
[14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
-- p 0x257d2c0 pkt 0x257d338 sll_protocol 0800
[14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
(DecodeIPV4) -- pkt 0x257d348 len 56
[14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
(DecodeIPV4) -- IPV4 10.50.1.143->142.27.128.1 PROTO: 17 OFFSET: 0 RF:
0 DF: 1 MF: 0 ID: 0
[14637] 6/6/2010 -- 20:41:37 - (decode-udp.c:75) <Debug> (DecodeUDP)
-- UDP sp: 62565 -> dp: 53 - HLEN: 8 LEN: 28
[14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
-- p 0x2592cb0 pkt 0x2592d28 sll_protocol 0800
[14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
(DecodeIPV4) -- pkt 0x2592d38 len 72
[14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
(DecodeIPV4) -- IPV4 142.27.128.1->10.50.1.143 PROTO: 17 OFFSET: 0 RF:
0 DF: 1 MF: 0 ID: 29489
[14637] 6/6/2010 -- 20:41:37 - (decode-udp.c:75) <Debug> (DecodeUDP)
-- UDP sp: 53 -> dp: 62565 - HLEN: 8 LEN: 44
[14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
-- p 0x25a86a0 pkt 0x25a8718 sll_protocol 0800
[14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
(DecodeIPV4) -- pkt 0x25a8728 len 100
[14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
(DecodeIPV4) -- IPV4 10.50.1.143->142.27.128.1 PROTO: 1 OFFSET: 0 RF:
0 DF: 0 MF: 0 ID: 25886
[14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:145) <Debug>
(DecodeICMPV4) -- ICMPV4 TYPE 3 CODE 3
[14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:98) <Debug>
(DecodePartialIPV4) -- DecodePartialIPV4: ICMPV4->IPV4->UDP header
sport: 53 dport 62565
[14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:124) <Debug>
(DecodePartialIPV4) -- ICMPv4 embedding IPV4 142.27.128.1->10.50.1.143
- PROTO: 17 ID: 12659

On Sun, Jun 6, 2010 at 11:56 AM, rmkml <rmkml at free.fr> wrote:
> and it's special, because, if you extract only 3ieme packet, no alert!
> Regards
> Rmkml
>
>
> On Sun, 6 Jun 2010, rmkml wrote:
>
>> Hi,
>> Maybe Im find a regression between suricata v0.9.1 and yesterday git
>> (79443b1991840930ded4b8f09ba6de7b000912d9)
>> If anyone confirm ? Im open a new ticket...
>> ok with this old sig, I have a FP with joigned my (anonymized) pcap file:
>> alert udp any any -> any 53 (msg:"DNS zone transfer UDP"; content:"|00 00
>> FC|"; offset:14; classtype:attempted-recon; sid:1948; rev:6;)
>> alert firing:
>> 04/01/09-14:36:40.894688  [**] [1:1948:6] DNS zone transfer UDP [**]
>> [Classification: ...] [Priority: 3] {1} 10.50.1.143:3 -> 142.27.128.1:3
>> Joigned pcap file contains 3 packets: first is dns A request, second is dns
>> reply, third is icmp port (dns) unreach (FP hear).
>> It's not a fuzzing, it's "normal" dns trafic.
>> Snort not firing, maybe it's a new Suricata feature?
>> Regards
>> Rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>