[Oisf-devel] FPs with IPv4 more Fragment flag on suricata v121
rmkml
rmkml at yahoo.fr
Mon Jan 23 23:45:49 UTC 2012
Hi,
Im curious with this joigned pcap file on suricata v1.2.1, FP signatures example:
alert udp any any -> any 162 (msg:"suricata snmp trap udp"; dsize:0; classtype:attempted-recon; sid:9104192; rev:1;)
another FP signature with same pcap:
alert udp any any -> any 5060 (msg:"suricata sip udp "; dsize:0; classtype:misc-attack; sid:9104843; rev:1; )
...
Anyone check/confirm please? if yes Im open a new redmine ticket.
No alert with snort.
Tshark partial output:
...
Internet Protocol Version 4, Src: 172.20.2.131 (172.20.2.131), Dst: 172.20.2.51 (172.20.2.51)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 1500
Identification: 0x7709 (30473)
Flags: 0x01 (More Fragments)
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..1. .... = More fragments: Set
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0x4129 [correct]
Source: 172.20.2.131 (172.20.2.131)
Destination: 172.20.2.51 (172.20.2.51)
Data (1480 bytes)
...
Happy Detect.
Regards
Rmkml
http://twitter.com/rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exemple_ip_fragmented_udp_suricata.pcap
Type: application/octet-stream
Size: 1554 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120124/20b0cadd/attachment.obj>
More information about the Oisf-devel
mailing list