[Oisf-devel] FP on Suricata dns ttl 0

[Victor Julien]

On 10/04/2013 12:07 AM, rmkml wrote:
> Hi,
> 
> Congratulations for new Suricata v1.4.6 version !
> 
> ok anyone confirm FP with joigned pcap and this old sig please ?:
> 
> bad-traffic.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any
> (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; classtype:misc-activity; sid:1321; rev:8;)
> 
> suricata fast.log output:
> 10/03/2013-12:33:42.042308  [**] [1:1321:8] BAD-TRAFFIC 0 ttl [**]
> [Classification: Misc activity] [Priority: 3] {HOPOPT}
> 0000:0000:0463:6f64:6504:6d73:646e:096d:0 ->
> 6963:726f:736f:6674:0363:6f6d:0000:0100:0
> 
> but joigned pcap are dns/udp, tcpdump output:
> 12:33:42.042308 IP (tos 0x0, ttl 64, id 34529, offset 0, flags [DF],
> proto UDP (17), length 69)
>     192.168.69.156.49379 > 192.38.129.234.53: [udp sum ok] 28390+ A?
> code.msdn.microsoft.com. (41)
> E..E.. at .@.kq..E..&.....5.1..n............code.msdn      microsoft.com.....
> 
> if anyone confirm, I'm open a new redmine ticket.
> 
> fp with suricata v1.4.5
> fp with suricata v1.4.6
> fp with suricata v2.0beta1


Looks like a false positive indeed. Can you open a ticket?

Thanks!

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------