[Oisf-devel] Keyword (icmp_seq) not alerting
Victor Julien
victor at inliniac.net
Fri Jul 26 08:10:40 UTC 2013
On 07/25/2013 06:15 PM, Prabhakaran Kasinathan wrote:
> Hi everyone,
>
> I tried to use a simple capture to check ICMP_SEQ keyword.
>
> Capture File:
> http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=v6.pcap
>
> Pck no.152 has seq number: 768
>
> My rule was:
> alert icmp any any -> any any (msg:\"check icmp seq \"; icmp_seq:768;
> sid:7; rev:3;)
>
> ----
> Results: No triggers.
>
> ------------------
> I tried to change some code in detect-icmp-seq.c
>
> Diff:
>
> 125c125,128
> < seqn = ICMPV6_GET_SEQ(p);
> ---
>> seqn = (ICMPV6_GET_SEQ(p));
>> if (seqn == ntohs(iseq->seq)){
>> return 1;
>> }
> 135,137d137
> <
> < if (seqn == iseq->seq)
> < return 1;
> ------
> Results:
> Now it triggers 2 alerts as expected.
> ----------------
> 03/11/1999-14:46:04.776394 [**] [1:7:3] check icmp seq \ [**]
> [Classification: (null)] [Priority: 3] {IPv6-ICMP}
> 3ffe:0507:0000:0001:0260:97ff:fe07:69ea:129 ->
> 3ffe:0507:0000:0001:0200:86ff:fe05:80da:0
> 03/11/1999-14:46:04.776126 [**] [1:7:3] check icmp seq \ [**]
> [Classification: (null)] [Priority: 3] {IPv6-ICMP}
> 3ffe:0507:0000:0001:0200:86ff:fe05:80da:128 ->
> 3ffe:0507:0000:0001:0260:97ff:fe07:69ea:0
> -----------------
>
> Is this a fix to the problem ? or I understood in a wrong way ?
Thanks for the report. I'm doing a slightly different fix. Tracking the
issue in ticket 906: https://redmine.openinfosecfoundation.org/issues/906
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list