[Oisf-devel] FP on Suricata dns ttl 0
rmkml
rmkml at yahoo.fr
Thu Oct 3 22:07:10 UTC 2013
Hi,
Congratulations for new Suricata v1.4.6 version !
ok anyone confirm FP with joigned pcap and this old sig please ?:
bad-traffic.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; classtype:misc-activity; sid:1321; rev:8;)
suricata fast.log output:
10/03/2013-12:33:42.042308 [**] [1:1321:8] BAD-TRAFFIC 0 ttl [**] [Classification: Misc activity] [Priority: 3] {HOPOPT} 0000:0000:0463:6f64:6504:6d73:646e:096d:0 -> 6963:726f:736f:6674:0363:6f6d:0000:0100:0
but joigned pcap are dns/udp, tcpdump output:
12:33:42.042308 IP (tos 0x0, ttl 64, id 34529, offset 0, flags [DF], proto UDP (17), length 69)
192.168.69.156.49379 > 192.38.129.234.53: [udp sum ok] 28390+ A? code.msdn.microsoft.com. (41)
E..E.. at .@.kq..E..&.....5.1..n............code.msdn microsoft.com.....
if anyone confirm, I'm open a new redmine ticket.
fp with suricata v1.4.5
fp with suricata v1.4.6
fp with suricata v2.0beta1
Regards
@Rmkml
http://etplc.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatadnsttl0fp.pcap
Type: application/vnd.tcpdump.pcap
Size: 228 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20131004/b15c4685/attachment.bin>
More information about the Oisf-devel
mailing list