[Oisf-devel] FP on IP frag and sig use udp port 0 ?

Victor Julien victor at inliniac.net
Wed Jul 3 11:20:24 UTC 2013 

On 05/21/2013 10:47 AM, Anoop Saldanha wrote:
> On Tue, May 21, 2013 at 2:01 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 05/08/2013 12:04 PM, Anoop Saldanha wrote:
>>> On Wed, May 8, 2013 at 5:27 AM, rmkml <rmkml at yahoo.fr> wrote:
>>>> Hi,
>>>>
>>>> Im curious if anyone confirm this please ?
>>>> (if yes Im open a new redmine ticket)
>>>>
>>>> ok testing Suricata with joigned pcap file contains one IP fragmented packet
>>>> without UDP layer like this (tshark output):
>>>>
>>>> ...
>>>> Internet Protocol Version 4, Src: 192.168.1.2 (192.168.1.2), Dst:
>>>> 192.168.1.1 (192.168.1.1)
>>>>     Version: 4
>>>>     Header length: 20 bytes
>>>>     Differentiated Services Field: 0x00
>>>>         0000 00.. = Default (0x00)
>>>>         .... ..00 = Not-ECT (Not ECN-Capable Transport) (0x00)
>>>>     Total Length: 1500
>>>>     Identification: 0x1061 (4193)
>>>>     Flags: 0x01 (More Fragments)
>>>>         0... .... = Reserved bit: Not set
>>>>         .0.. .... = Don't fragment: Not set
>>>>         ..1. .... = More fragments: Set
>>>>     Fragment offset: 1480
>>>>     Time to live: 64
>>>>     Protocol: UDP (17)
>>>>     Header checksum: 0xc0a3 [correct]
>>>>         [Good: True]
>>>>         [Bad: False]
>>>>     Source: 192.168.1.2 (192.168.1.2)
>>>>     Destination: 192.168.1.1 (192.168.1.1)
>>>> Data (1480 bytes)
>>>> 0000  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41   AAAAAAAAAAAAAAAA
>>>> ...
>>>>
>>>> Testing with this simply very old sig:
>>>> alert udp any any <> any 0 (msg:"BAD-TRAFFIC udp port 0 traffic";
>>>> classtype:misc-activity; sid:525; rev:1;)
>>>>
>>>> product Suricata FP alert:
>>>> 05/06/2013-23:49:28.176296 [**] [1:525:1] BAD-TRAFFIC udp port 0 traffic
>>>> [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.1.2:0 ->
>>>> 192.168.1.1:0
>>>>
>>>> Of course snort not fire.
>>>>
>>>
>>> Seems right to me.
>>>
>>> We treat it as an ip only sig, the the upper layer protocol is
>>> determined from the ip packet.
>>>
>>
>> Don't think I agree. The packet is a fragment without the actual UDP
>> layer. So we have no UDP port info for the packet and thus we can't say
>> port 0 matched.
>>
> 
> Right.  I overlooked the port part.
> 

Opened #846 and #847 for this.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list