[Oisf-devel] ip_proto:58 and dsize:0 cause FP on Suricata v1.4.1
Victor Julien
victor at inliniac.net
Wed Mar 20 15:30:38 UTC 2013
On 03/13/2013 10:27 PM, rmkml wrote:
> Hi,
>
> Im continue a Suricata testing and I have created this sig:
>
> alert ip any any -> any any (msg:"ip_proto:58 and dsize:0";
> ip_proto:58; dsize:0; sid:1; rev:1; )
>
> Why Suricata v1.4.1 fire with joigned pcap file please?
>
> Tcpdump output:
> 09:59:35.724983 IP6 (hlim 255, next-header ICMPv6 (58) payload length:
> 8) fe80::8ac6:63ff:feb9:de9a > ff02::2: ICMP6, router solicitation,
> length 8
>
> Tshark output:
> ...
> Internet Protocol Version 6, Src: fe80::8ac6:63ff:feb9:de9a, Dst: ff02::2
> 0110 .... = Version: 6
> Payload length: 8
> Next header: ICMPv6 (58)
> Hop limit: 255
> Internet Control Message Protocol v6
> Type: Router Solicitation (133)
> Code: 0
> Checksum: 0xb11c [correct]
> Reserved: 00000000
>
> Snort not fire.
>
> If you confirm, I open a new redmine ticket.
I'm not convinced this is a bug. Looking at
http://tools.ietf.org/html/rfc4861, section 4.1, I think the reserved
field is part of the header. Which means dsize:0 should match, as there
is no payload, just header.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list