[Oisf-devel] FPs with IPv4 more Fragment flag on suricata v121
Peter Manev
petermanev at gmail.com
Wed Jan 25 14:14:38 UTC 2012
Hi,
What are the values for EXT and HOME nets in your yaml configuration (you
can mail me privately if you would like) ?
Thanks
On Tue, Jan 24, 2012 at 10:10 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi Peter,
> You are right, I have missed these rules: (partial/special emerging
> threats with my pcap example)
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx
> overflow attempt"; dsize:>128; classtype:attempted-admin;
> reference:bugtraq,2540; reference:cve,2001-0414; sid:2100312; rev:7;)
> alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap
> Format String detected"; content:"%s"; classtype:attempted-recon;
> reference:bugtraq,16267; reference:cve,2006-0250; reference:url,
> www.osvdb.org/**displayvuln.php?osvdb_id=22493<http://www.osvdb.org/displayvuln.php?osvdb_id=22493>
> **; sid:100000227; rev:2;)
> alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"GPL GAMES Amp II 3D
> Game Server Denial of Service Empty UDP Packet"; dsize:0;
> classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:2;)
> alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL EXPLOIT EXPLOIT
> SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30
> 30 30 30 30 30 30 0A|"; nocase; classtype:attempted-dos;
> reference:bugtraq,14174; reference:cve,2005-2182; reference:url,
> www.osvdb.org/**displayvuln.php?osvdb_id=17838<http://www.osvdb.org/displayvuln.php?osvdb_id=17838>
> **; sid:100000180; rev:1;)
> alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"GPL GAMES Breed Game
> Server Denial of Service Empty UDP Packet"; dsize:0;
> classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:2;)
>
> can you retest with all rules please?
> Regards
> Rmkml
>
>
>
>
> On Tue, 24 Jan 2012, Peter Manev wrote:
>
> Hi,
>> Suricata 1.2.1 behaves as expected - there is no alerts fired.
>> If you would like, you can share your yaml privately for further
>> investigation.
>>
>> Thanks for your help
>>
>> On Tue, Jan 24, 2012 at 12:45 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi,
>> Im curious with this joigned pcap file on suricata v1.2.1, FP
>> signatures example:
>> alert udp any any -> any 162 (msg:"suricata snmp trap udp";
>> dsize:0; classtype:attempted-recon; sid:9104192; rev:1;)
>> another FP signature with same pcap:
>> alert udp any any -> any 5060 (msg:"suricata sip udp "; dsize:0;
>> classtype:misc-attack; sid:9104843; rev:1; )
>> ...
>> Anyone check/confirm please? if yes Im open a new redmine ticket.
>> No alert with snort.
>>
>> Tshark partial output:
>> ...
>> Internet Protocol Version 4, Src: 172.20.2.131 (172.20.2.131), Dst:
>> 172.20.2.51 (172.20.2.51)
>> Version: 4
>> Header length: 20 bytes
>> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00:
>> Not-ECT (Not ECN-Capable Transport))
>> Total Length: 1500
>> Identification: 0x7709 (30473)
>> Flags: 0x01 (More Fragments)
>> 0... .... = Reserved bit: Not set
>> .0.. .... = Don't fragment: Not set
>> ..1. .... = More fragments: Set
>> Fragment offset: 0
>> Time to live: 128
>> Protocol: UDP (17)
>> Header checksum: 0x4129 [correct]
>> Source: 172.20.2.131 (172.20.2.131)
>> Destination: 172.20.2.51 (172.20.2.51)
>> Data (1480 bytes)
>> ...
>>
>> Happy Detect.
>> Regards
>> Rmkml
>>
>> http://twitter.com/rmkml
>> ______________________________**_________________
>> Oisf-devel mailing list
>> Oisf-devel@**openinfosecfoundation.org<Oisf-devel at openinfosecfoundation.org>
>> http://lists.**openinfosecfoundation.org/**
>> mailman/listinfo/oisf-devel<http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel>
>>
>>
>>
>>
>> --
>> Peter Manev
>>
>>
--
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120125/691336d9/attachment-0002.html>
More information about the Oisf-devel
mailing list