[Oisf-devel] FP on IP frag and sig use udp port 0 ?
rmkml
rmkml at yahoo.fr
Tue May 7 23:57:14 UTC 2013
Hi,
Im curious if anyone confirm this please ?
(if yes Im open a new redmine ticket)
ok testing Suricata with joigned pcap file contains one IP fragmented packet without UDP layer like this (tshark output):
...
Internet Protocol Version 4, Src: 192.168.1.2 (192.168.1.2), Dst: 192.168.1.1 (192.168.1.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00
0000 00.. = Default (0x00)
.... ..00 = Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 1500
Identification: 0x1061 (4193)
Flags: 0x01 (More Fragments)
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..1. .... = More fragments: Set
Fragment offset: 1480
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xc0a3 [correct]
[Good: True]
[Bad: False]
Source: 192.168.1.2 (192.168.1.2)
Destination: 192.168.1.1 (192.168.1.1)
Data (1480 bytes)
0000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
...
Testing with this simply very old sig:
alert udp any any <> any 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; classtype:misc-activity; sid:525; rev:1;)
product Suricata FP alert:
05/06/2013-23:49:28.176296 [**] [1:525:1] BAD-TRAFFIC udp port 0 traffic [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.1.2:0 -> 192.168.1.1:0
Of course snort not fire.
Regards
Rmkml
http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suri1.pcap
Type: application/vnd.tcpdump.pcap
Size: 1660 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130508/964b25ac/attachment.bin>
More information about the Oisf-devel
mailing list