[Oisf-devel] PACKET_ALERT_FLAG_STATE_MATCH
Carl Soeder
csoeder at bbn.com
Fri Jan 18 21:14:12 UTC 2013
I'm writing an App Layer Module for DNS.
I want to detect anomalies in DNS UDP packets and set app-layer-events. I managed to get this (sort of) working. I added a rule to trigger on the DNS app-layer-event I added. And I fed suricata a packet that caused the DNS parser to set the event. Suricata generated an alert as expected. However, it also gave this warning:
[2287] 18/1/2013 -- 15:35:02 - (stream.c:236) <Warning> (StreamSegmentForEach) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - UDP is currently unsupported
The warning is caused because Unified2PacketTypeAlert thinks the packet is part of a stream. It thinks it's a stream because the PACKET_ALERT_FLAG_STATE_MATCH bit is set in the PacketAlert flags field. Here is the relevant line from alert-unified2-alert.c:
ret = Unified2PacketTypeAlert(aun, p, event_id,
pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH) ? 1 : 0);
If either the STATE_MATCH or STREAM_MATCH bit is set, Unified2PacketTypeAlert calls SteamSegmentForEach.
Should suricata be executing Unified2PacketTypeAlert for alert triggered by app-layer-event?
Should PACKET_ALERT_FLAG_STATE_MATCH be set for DNS app-layer-event when it's trigger by an UDP packet?
Is there an example of an app-layer-event triggered by a UDP packet so I can trace its path?
Thanks.
More information about the Oisf-devel
mailing list