[Oisf-devel] FP on IP frag and sig use udp port 0 ?
Anoop Saldanha
anoopsaldanha at gmail.com
Wed May 8 10:04:23 UTC 2013
On Wed, May 8, 2013 at 5:27 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> Im curious if anyone confirm this please ?
> (if yes Im open a new redmine ticket)
>
> ok testing Suricata with joigned pcap file contains one IP fragmented packet
> without UDP layer like this (tshark output):
>
> ...
> Internet Protocol Version 4, Src: 192.168.1.2 (192.168.1.2), Dst:
> 192.168.1.1 (192.168.1.1)
> Version: 4
> Header length: 20 bytes
> Differentiated Services Field: 0x00
> 0000 00.. = Default (0x00)
> .... ..00 = Not-ECT (Not ECN-Capable Transport) (0x00)
> Total Length: 1500
> Identification: 0x1061 (4193)
> Flags: 0x01 (More Fragments)
> 0... .... = Reserved bit: Not set
> .0.. .... = Don't fragment: Not set
> ..1. .... = More fragments: Set
> Fragment offset: 1480
> Time to live: 64
> Protocol: UDP (17)
> Header checksum: 0xc0a3 [correct]
> [Good: True]
> [Bad: False]
> Source: 192.168.1.2 (192.168.1.2)
> Destination: 192.168.1.1 (192.168.1.1)
> Data (1480 bytes)
> 0000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
> ...
>
> Testing with this simply very old sig:
> alert udp any any <> any 0 (msg:"BAD-TRAFFIC udp port 0 traffic";
> classtype:misc-activity; sid:525; rev:1;)
>
> product Suricata FP alert:
> 05/06/2013-23:49:28.176296 [**] [1:525:1] BAD-TRAFFIC udp port 0 traffic
> [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.1.2:0 ->
> 192.168.1.1:0
>
> Of course snort not fire.
>
Seems right to me.
We treat it as an ip only sig, the the upper layer protocol is
determined from the ip packet.
--
Anoop Saldanha
More information about the Oisf-devel
mailing list