[Oisf-devel] PACKET_ALERT_FLAG_STATE_MATCH
Victor Julien
victor at inliniac.net
Mon Jan 21 10:51:48 UTC 2013
On 01/18/2013 10:14 PM, Carl Soeder wrote:
> I'm writing an App Layer Module for DNS.
>
> I want to detect anomalies in DNS UDP packets and set app-layer-events. I managed to get this (sort of) working. I added a rule to trigger on the DNS app-layer-event I added. And I fed suricata a packet that caused the DNS parser to set the event. Suricata generated an alert as expected. However, it also gave this warning:
>
> [2287] 18/1/2013 -- 15:35:02 - (stream.c:236) <Warning> (StreamSegmentForEach) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - UDP is currently unsupported
>
> The warning is caused because Unified2PacketTypeAlert thinks the packet is part of a stream. It thinks it's a stream because the PACKET_ALERT_FLAG_STATE_MATCH bit is set in the PacketAlert flags field. Here is the relevant line from alert-unified2-alert.c:
>
> ret = Unified2PacketTypeAlert(aun, p, event_id,
> pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH) ? 1 : 0);
>
> If either the STATE_MATCH or STREAM_MATCH bit is set, Unified2PacketTypeAlert calls SteamSegmentForEach.
>
> Should suricata be executing Unified2PacketTypeAlert for alert triggered by app-layer-event?
>
> Should PACKET_ALERT_FLAG_STATE_MATCH be set for DNS app-layer-event when it's trigger by an UDP packet?
I think it should ya, if the alert was triggered on the state. We should
not call the TCP only StreamSegmentForEach though. That seems like a bug
to me.
> Is there an example of an app-layer-event triggered by a UDP packet so I can trace its path?
The easiest way may be to add support for "app-layer-events" and alert
on packet anomalies. Most other app-layer-*c modules do this.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list