[Oisf-devel] FPs with IPv4 more Fragment flag on suricata v121
Peter Manev
petermanev at gmail.com
Mon Jan 23 23:11:36 UTC 2012
Hi,
Suricata 1.2.1 behaves as expected - there is no alerts fired.
If you would like, you can share your yaml privately for further
investigation.
Thanks for your help
On Tue, Jan 24, 2012 at 12:45 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
> Im curious with this joigned pcap file on suricata v1.2.1, FP signatures
> example:
> alert udp any any -> any 162 (msg:"suricata snmp trap udp"; dsize:0;
> classtype:attempted-recon; sid:9104192; rev:1;)
> another FP signature with same pcap:
> alert udp any any -> any 5060 (msg:"suricata sip udp "; dsize:0;
> classtype:misc-attack; sid:9104843; rev:1; )
> ...
> Anyone check/confirm please? if yes Im open a new redmine ticket.
> No alert with snort.
>
> Tshark partial output:
> ...
> Internet Protocol Version 4, Src: 172.20.2.131 (172.20.2.131), Dst:
> 172.20.2.51 (172.20.2.51)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
> Not-ECT (Not ECN-Capable Transport))
> Total Length: 1500
> Identification: 0x7709 (30473)
> Flags: 0x01 (More Fragments)
> 0... .... = Reserved bit: Not set
> .0.. .... = Don't fragment: Not set
> ..1. .... = More fragments: Set
> Fragment offset: 0
> Time to live: 128
> Protocol: UDP (17)
> Header checksum: 0x4129 [correct]
> Source: 172.20.2.131 (172.20.2.131)
> Destination: 172.20.2.51 (172.20.2.51)
> Data (1480 bytes)
> ...
>
> Happy Detect.
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
--
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120124/bb6fede1/attachment-0002.html>
More information about the Oisf-devel
mailing list