[Oisf-devel] Problems with UDP fragments and latest (GIT) Suricata.
Nikolay Denev
ndenev at gmail.com
Tue Sep 27 13:50:15 UTC 2011
Hi Victor,
I've updated yesterday and I'm no more seeing these false alerts.
Thanks!
On Sep 27, 2011, at 4:29 PM, Victor Julien wrote:
> This should be fixed in yesterdays git push. Please let me know if
> you're still seeing the issue.
>
> Thanks for your report!
>
> Regards,
> Victor
>
> On 09/20/2011 04:26 PM, Nikolay Denev wrote:
>> Hello,
>>
>> While trying to catch a bug regarding pass rules in suricata with the help of Peter Manev,
>> I've upgraded to the GIT version and found a new in it regarding fragment handling.
>>
>> Immediately when I switched to the GIT version I started to receive alerts about snmp traps from the following rule:
>>
>> alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp"; classtype:attempted-recon; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; sid:1419; rev:9;)
>>
>> And here is the alert :
>>
>> [**] [1:1419:9] GPL SNMP trap udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} XX.XX.64.3:0 -> YY.YY.47.8:0
>>
>> You can notice that there are no ports in the alert, but the rule has the destination port specified.
>> When I investigated further it turned out that this alert was triggered by fragments from fragmented UDP packets from port 53 (DNSSEC UDP packets over 1500 bytes).
>>
>> I even recored one of these fragmented packets and I'm able to trigger this rule every time with it. The original suricata version from the FreeBSD ports that I used (1.0.3) do not generate alerts for these fragments.
>>
>> While looking at the code I noticed some recent changes regarding iponly rules and found this commit :
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/e13181496c435f5a6b401faf7d40298608d3314c/diff/src/detect-engine-iponly.c
>>
>> In the code fragment from this commit :
>>
>> if (DetectProtoContainsProto(&s->proto, IP_GET_IPPROTO(p)) == 0) {
>> SCLogDebug("proto didn't match");
>> continue;
>> }
>>
>> /* check the source & dst port in the sig */
>> if (p->proto == IPPROTO_TCP || p->proto == IPPROTO_UDP || p->proto == IPPROTO_SCTP) {
>> if (!(s->flags & SIG_FLAG_DP_ANY)) {
>> DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
>> if (dport == NULL) {
>> SCLogDebug("dport didn't match.");
>> continue;
>> }
>> }
>> if (!(s->flags & SIG_FLAG_SP_ANY)) {
>> DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
>> if (sport == NULL) {
>> SCLogDebug("sport didn't match.");
>> continue;
>> }
>> }
>> }
>>
>> IP_GET_IPPROTO() properly returns the protocol (17 for UDP), but the next check agains
>> p->proto does not work as p->proto is zero.
>>
>> It seems that p->proto should be set to IPPROTO_UDP in decode-udp.c::DecodeUDPPacket(),
>> but in my testing with only one recorded fragment in pcap format, we never get there
>> because the packet probably can't be reassembled.
>>
>> I'm still digging and adding debug printfs to understand the code better and see where the problem is
>> but I decided to share what I have so far in case some more familiar with the code has idea why this is happening.
>>
>> To me it seems like that the fragment is being processed instead of being dropped.
>>
>> Regards,
>> Nikolay
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
More information about the Oisf-devel
mailing list