[Oisf-devel] ip_proto:58 and dsize:0 cause FP on Suricata v1.4.1
rmkml
rmkml at yahoo.fr
Wed Mar 13 21:27:55 UTC 2013
Hi,
Im continue a Suricata testing and I have created this sig:
alert ip any any -> any any (msg:"ip_proto:58 and dsize:0"; ip_proto:58; dsize:0; sid:1; rev:1; )
Why Suricata v1.4.1 fire with joigned pcap file please?
Tcpdump output:
09:59:35.724983 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 8) fe80::8ac6:63ff:feb9:de9a > ff02::2: ICMP6, router solicitation, length 8
Tshark output:
...
Internet Protocol Version 6, Src: fe80::8ac6:63ff:feb9:de9a, Dst: ff02::2
0110 .... = Version: 6
Payload length: 8
Next header: ICMPv6 (58)
Hop limit: 255
Internet Control Message Protocol v6
Type: Router Solicitation (133)
Code: 0
Checksum: 0xb11c [correct]
Reserved: 00000000
Snort not fire.
If you confirm, I open a new redmine ticket.
Regards
Rmkml
http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata141testingipproto58dsize0FP.pcap
Type: application/vnd.tcpdump.pcap
Size: 208 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130313/eb01074c/attachment.bin>
More information about the Oisf-devel
mailing list