[Oisf-devel] FP with suricata yesterday git
rmkml
rmkml at free.fr
Mon Jun 7 08:03:03 UTC 2010
Thx for reply Will,
I have opened ticket #174, but I have a "Internal error" when I add my pcap file...
Regards
Rmkml
On Sun, 6 Jun 2010, Will Metcalf wrote:
> We are doing partial protocol decode for this i.e. decoding the udp
> traffic sent back in the unreachable message. With that said it
> appears as if there is a bug because we should only be alerting on
> packet 3 if the dport in the packet that caused the sig to fire was 53
> but in this case it's sport. Seems as if something is mixed up
> somewhere. Please open a ticket. Thanks RMKML!!!!!
>
> Regards,
>
> Will
>
> SCSigOrderSignatures: Total Signatures to be processed by
> thesigordering module: 1
> [14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
> -- p 0x257d2c0 pkt 0x257d338 sll_protocol 0800
> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
> (DecodeIPV4) -- pkt 0x257d348 len 56
> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
> (DecodeIPV4) -- IPV4 10.50.1.143->142.27.128.1 PROTO: 17 OFFSET: 0 RF:
> 0 DF: 1 MF: 0 ID: 0
> [14637] 6/6/2010 -- 20:41:37 - (decode-udp.c:75) <Debug> (DecodeUDP)
> -- UDP sp: 62565 -> dp: 53 - HLEN: 8 LEN: 28
> [14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
> -- p 0x2592cb0 pkt 0x2592d28 sll_protocol 0800
> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
> (DecodeIPV4) -- pkt 0x2592d38 len 72
> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
> (DecodeIPV4) -- IPV4 142.27.128.1->10.50.1.143 PROTO: 17 OFFSET: 0 RF:
> 0 DF: 1 MF: 0 ID: 29489
> [14637] 6/6/2010 -- 20:41:37 - (decode-udp.c:75) <Debug> (DecodeUDP)
> -- UDP sp: 53 -> dp: 62565 - HLEN: 8 LEN: 44
> [14637] 6/6/2010 -- 20:41:37 - (decode-sll.c:45) <Debug> (DecodeSll)
> -- p 0x25a86a0 pkt 0x25a8718 sll_protocol 0800
> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:512) <Debug>
> (DecodeIPV4) -- pkt 0x25a8728 len 100
> [14637] 6/6/2010 -- 20:41:37 - (decode-ipv4.c:532) <Debug>
> (DecodeIPV4) -- IPV4 10.50.1.143->142.27.128.1 PROTO: 1 OFFSET: 0 RF:
> 0 DF: 0 MF: 0 ID: 25886
> [14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:145) <Debug>
> (DecodeICMPV4) -- ICMPV4 TYPE 3 CODE 3
> [14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:98) <Debug>
> (DecodePartialIPV4) -- DecodePartialIPV4: ICMPV4->IPV4->UDP header
> sport: 53 dport 62565
> [14637] 6/6/2010 -- 20:41:37 - (decode-icmpv4.c:124) <Debug>
> (DecodePartialIPV4) -- ICMPv4 embedding IPV4 142.27.128.1->10.50.1.143
> - PROTO: 17 ID: 12659
>
>
>
> On Sun, Jun 6, 2010 at 11:56 AM, rmkml <rmkml at free.fr> wrote:
>> and it's special, because, if you extract only 3ieme packet, no alert!
>> Regards
>> Rmkml
>>
>>
>> On Sun, 6 Jun 2010, rmkml wrote:
>>
>>> Hi,
>>> Maybe Im find a regression between suricata v0.9.1 and yesterday git
>>> (79443b1991840930ded4b8f09ba6de7b000912d9)
>>> If anyone confirm ? Im open a new ticket...
>>> ok with this old sig, I have a FP with joigned my (anonymized) pcap file:
>>> alert udp any any -> any 53 (msg:"DNS zone transfer UDP"; content:"|00 00
>>> FC|"; offset:14; classtype:attempted-recon; sid:1948; rev:6;)
>>> alert firing:
>>> 04/01/09-14:36:40.894688 [**] [1:1948:6] DNS zone transfer UDP [**]
>>> [Classification: ...] [Priority: 3] {1} 10.50.1.143:3 -> 142.27.128.1:3
>>> Joigned pcap file contains 3 packets: first is dns A request, second is dns
>>> reply, third is icmp port (dns) unreach (FP hear).
>>> It's not a fuzzing, it's "normal" dns trafic.
>>> Snort not firing, maybe it's a new Suricata feature?
>>> Regards
>>> Rmkml
>> _______________________________________________
>> Oisf-devel mailing list
>> Oisf-devel at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>>
>
More information about the Oisf-devel
mailing list