[Oisf-devel] Keyword (icmp_seq) not alerting
Prabhakaran Kasinathan
prabhakaran1989 at gmail.com
Thu Jul 25 16:15:29 UTC 2013
Hi everyone,
I tried to use a simple capture to check ICMP_SEQ keyword.
Capture File:
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=v6.pcap
Pck no.152 has seq number: 768
My rule was:
alert icmp any any -> any any (msg:\"check icmp seq \"; icmp_seq:768;
sid:7; rev:3;)
----
Results: No triggers.
------------------
I tried to change some code in detect-icmp-seq.c
Diff:
125c125,128
< seqn = ICMPV6_GET_SEQ(p);
---
> seqn = (ICMPV6_GET_SEQ(p));
> if (seqn == ntohs(iseq->seq)){
> return 1;
> }
135,137d137
<
< if (seqn == iseq->seq)
< return 1;
------
Results:
Now it triggers 2 alerts as expected.
----------------
03/11/1999-14:46:04.776394 [**] [1:7:3] check icmp seq \ [**]
[Classification: (null)] [Priority: 3] {IPv6-ICMP}
3ffe:0507:0000:0001:0260:97ff:fe07:69ea:129 ->
3ffe:0507:0000:0001:0200:86ff:fe05:80da:0
03/11/1999-14:46:04.776126 [**] [1:7:3] check icmp seq \ [**]
[Classification: (null)] [Priority: 3] {IPv6-ICMP}
3ffe:0507:0000:0001:0200:86ff:fe05:80da:128 ->
3ffe:0507:0000:0001:0260:97ff:fe07:69ea:0
-----------------
Is this a fix to the problem ? or I understood in a wrong way ?
--
Best Regards,
Prabhakaran Kasinathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130725/238d047f/attachment.html>
More information about the Oisf-devel
mailing list