[Oisf-devel] FP on IP frag and sig use udp port 0 ?
Victor Julien
victor at inliniac.net
Tue May 21 08:31:36 UTC 2013
On 05/08/2013 12:04 PM, Anoop Saldanha wrote:
> On Wed, May 8, 2013 at 5:27 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi,
>>
>> Im curious if anyone confirm this please ?
>> (if yes Im open a new redmine ticket)
>>
>> ok testing Suricata with joigned pcap file contains one IP fragmented packet
>> without UDP layer like this (tshark output):
>>
>> ...
>> Internet Protocol Version 4, Src: 192.168.1.2 (192.168.1.2), Dst:
>> 192.168.1.1 (192.168.1.1)
>> Version: 4
>> Header length: 20 bytes
>> Differentiated Services Field: 0x00
>> 0000 00.. = Default (0x00)
>> .... ..00 = Not-ECT (Not ECN-Capable Transport) (0x00)
>> Total Length: 1500
>> Identification: 0x1061 (4193)
>> Flags: 0x01 (More Fragments)
>> 0... .... = Reserved bit: Not set
>> .0.. .... = Don't fragment: Not set
>> ..1. .... = More fragments: Set
>> Fragment offset: 1480
>> Time to live: 64
>> Protocol: UDP (17)
>> Header checksum: 0xc0a3 [correct]
>> [Good: True]
>> [Bad: False]
>> Source: 192.168.1.2 (192.168.1.2)
>> Destination: 192.168.1.1 (192.168.1.1)
>> Data (1480 bytes)
>> 0000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
>> ...
>>
>> Testing with this simply very old sig:
>> alert udp any any <> any 0 (msg:"BAD-TRAFFIC udp port 0 traffic";
>> classtype:misc-activity; sid:525; rev:1;)
>>
>> product Suricata FP alert:
>> 05/06/2013-23:49:28.176296 [**] [1:525:1] BAD-TRAFFIC udp port 0 traffic
>> [**] [Classification: Misc activity] [Priority: 3] {UDP} 192.168.1.2:0 ->
>> 192.168.1.1:0
>>
>> Of course snort not fire.
>>
>
> Seems right to me.
>
> We treat it as an ip only sig, the the upper layer protocol is
> determined from the ip packet.
>
Don't think I agree. The packet is a fragment without the actual UDP
layer. So we have no UDP port info for the packet and thus we can't say
port 0 matched.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list