[Oisf-devel] FP with suricata yesterday git

Victor Julien victor at inliniac.net
Mon Jun 7 08:18:29 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We upgraded our redmine install this weekend. I've asked Josh, our
sysadmin, to have a look.

Cheers,
Victor

rmkml wrote:
> Thx for reply Will,
> I have opened ticket #174, but I have a "Internal error" when I add my
> pcap file...
> Regards
> Rmkml
> 
> 
> On Sun, 6 Jun 2010, Will Metcalf wrote:
> 
>> We are doing partial protocol decode for this i.e. decoding the udp
>> traffic sent back in the unreachable message. With that said it
>> appears as if there is a bug because we should only be alerting on
>> packet 3 if the dport in the packet that caused the sig to fire was 53
>> but in this case it's sport.  Seems as if something is mixed up
>> somewhere. Please open a ticket.  Thanks RMKML!!!!!
>>
>> Regards,
>>
>> Will
>>
>> SCSigOrderSignatures: Total Signatures to be processed by
>> thesigordering module: 1
>> [14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
>> -- p 0x257d2c0 pkt 0x257d338 sll_protocol 0800
>> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
>> (DecodeIPV4) -- pkt 0x257d348 len 56
>> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
>> (DecodeIPV4) -- IPV4 10.50.1.143->142.27.128.1 PROTO: 17 OFFSET: 0 RF:
>> 0 DF: 1 MF: 0 ID: 0
>> [14637] 6/6/2010 -- 20:41:37 - (decode-udp.c:75) <Debug> (DecodeUDP)
>> -- UDP sp: 62565 -> dp: 53 - HLEN: 8 LEN: 28
>> [14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
>> -- p 0x2592cb0 pkt 0x2592d28 sll_protocol 0800
>> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
>> (DecodeIPV4) -- pkt 0x2592d38 len 72
>> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
>> (DecodeIPV4) -- IPV4 142.27.128.1->10.50.1.143 PROTO: 17 OFFSET: 0 RF:
>> 0 DF: 1 MF: 0 ID: 29489
>> [14637] 6/6/2010 -- 20:41:37 - (decode-udp.c:75) <Debug> (DecodeUDP)
>> -- UDP sp: 53 -> dp: 62565 - HLEN: 8 LEN: 44
>> [14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
>> -- p 0x25a86a0 pkt 0x25a8718 sll_protocol 0800
>> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
>> (DecodeIPV4) -- pkt 0x25a8728 len 100
>> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
>> (DecodeIPV4) -- IPV4 10.50.1.143->142.27.128.1 PROTO: 1 OFFSET: 0 RF:
>> 0 DF: 0 MF: 0 ID: 25886
>> [14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:145) <Debug>
>> (DecodeICMPV4) -- ICMPV4 TYPE 3 CODE 3
>> [14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:98) <Debug>
>> (DecodePartialIPV4) -- DecodePartialIPV4: ICMPV4->IPV4->UDP header
>> sport: 53 dport 62565
>> [14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:124) <Debug>
>> (DecodePartialIPV4) -- ICMPv4 embedding IPV4 142.27.128.1->10.50.1.143
>> - PROTO: 17 ID: 12659
>>
>>
>>
>> On Sun, Jun 6, 2010 at 11:56 AM, rmkml <rmkml at free.fr> wrote:
>>> and it's special, because, if you extract only 3ieme packet, no alert!
>>> Regards
>>> Rmkml
>>>
>>>
>>> On Sun, 6 Jun 2010, rmkml wrote:
>>>
>>>> Hi,
>>>> Maybe Im find a regression between suricata v0.9.1 and yesterday git
>>>> (79443b1991840930ded4b8f09ba6de7b000912d9)
>>>> If anyone confirm ? Im open a new ticket...
>>>> ok with this old sig, I have a FP with joigned my (anonymized) pcap
>>>> file:
>>>> alert udp any any -> any 53 (msg:"DNS zone transfer UDP";
>>>> content:"|00 00
>>>> FC|"; offset:14; classtype:attempted-recon; sid:1948; rev:6;)
>>>> alert firing:
>>>> 04/01/09-14:36:40.894688  [**] [1:1948:6] DNS zone transfer UDP [**]
>>>> [Classification: ...] [Priority: 3] {1} 10.50.1.143:3 -> 142.27.128.1:3
>>>> Joigned pcap file contains 3 packets: first is dns A request, second
>>>> is dns
>>>> reply, third is icmp port (dns) unreach (FP hear).
>>>> It's not a fuzzing, it's "normal" dns trafic.
>>>> Snort not firing, maybe it's a new Suricata feature?
>>>> Regards
>>>> Rmkml
>>> _______________________________________________
>>> Oisf-devel mailing list
>>> Oisf-devel at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>>
>>
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkwMq1QACgkQiSMBBAuniMeV6wCcDN8XJrY4vE3LyXnZOnktz9BL
W0gAnRB2AfA5d8rscwhjDOA3xQ4V4CSq
=tETx
-----END PGP SIGNATURE-----

More information about the Oisf-devel mailing list