[Oisf-devel] Keyword (icmp_seq) not alerting
Victor Julien
victor at inliniac.net
Fri Jul 26 13:07:55 UTC 2013
On 07/26/2013 10:10 AM, Victor Julien wrote:
> On 07/25/2013 06:15 PM, Prabhakaran Kasinathan wrote:
>> Hi everyone,
>>
>> I tried to use a simple capture to check ICMP_SEQ keyword.
>>
>> Capture File:
>> http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=v6.pcap
>>
>> Pck no.152 has seq number: 768
>>
>> My rule was:
>> alert icmp any any -> any any (msg:\"check icmp seq \"; icmp_seq:768;
>> sid:7; rev:3;)
>>
>> ----
>> Results: No triggers.
>>
>> ------------------
>> I tried to change some code in detect-icmp-seq.c
>>
>> Diff:
>>
>> 125c125,128
>> < seqn = ICMPV6_GET_SEQ(p);
>> ---
>>> seqn = (ICMPV6_GET_SEQ(p));
>>> if (seqn == ntohs(iseq->seq)){
>>> return 1;
>>> }
>> 135,137d137
>> <
>> < if (seqn == iseq->seq)
>> < return 1;
>> ------
>> Results:
>> Now it triggers 2 alerts as expected.
>> ----------------
>> 03/11/1999-14:46:04.776394 [**] [1:7:3] check icmp seq \ [**]
>> [Classification: (null)] [Priority: 3] {IPv6-ICMP}
>> 3ffe:0507:0000:0001:0260:97ff:fe07:69ea:129 ->
>> 3ffe:0507:0000:0001:0200:86ff:fe05:80da:0
>> 03/11/1999-14:46:04.776126 [**] [1:7:3] check icmp seq \ [**]
>> [Classification: (null)] [Priority: 3] {IPv6-ICMP}
>> 3ffe:0507:0000:0001:0200:86ff:fe05:80da:128 ->
>> 3ffe:0507:0000:0001:0260:97ff:fe07:69ea:0
>> -----------------
>>
>> Is this a fix to the problem ? or I understood in a wrong way ?
>
> Thanks for the report. I'm doing a slightly different fix. Tracking the
> issue in ticket 906: https://redmine.openinfosecfoundation.org/issues/906
>
Fixed in the new 1.4.5 release. Thanks!
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list