[Oisf-devel] FP on Suricata dns ttl 0
rmkml
rmkml at yahoo.fr
Fri Oct 4 08:18:42 UTC 2013
Thx you Victor,
Opened #990 redmine ticket.
It's very hard, but I'm search a new segfault Suricata for next meeting ;)
Best Regards
@Rmkml
On Fri, 4 Oct 2013, Victor Julien wrote:
> On 10/04/2013 12:07 AM, rmkml wrote:
>> Hi,
>>
>> Congratulations for new Suricata v1.4.6 version !
>>
>> ok anyone confirm FP with joigned pcap and this old sig please ?:
>>
>> bad-traffic.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any
>> (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; classtype:misc-activity; sid:1321; rev:8;)
>>
>> suricata fast.log output:
>> 10/03/2013-12:33:42.042308 [**] [1:1321:8] BAD-TRAFFIC 0 ttl [**]
>> [Classification: Misc activity] [Priority: 3] {HOPOPT}
>> 0000:0000:0463:6f64:6504:6d73:646e:096d:0 ->
>> 6963:726f:736f:6674:0363:6f6d:0000:0100:0
>>
>> but joigned pcap are dns/udp, tcpdump output:
>> 12:33:42.042308 IP (tos 0x0, ttl 64, id 34529, offset 0, flags [DF],
>> proto UDP (17), length 69)
>> 192.168.69.156.49379 > 192.38.129.234.53: [udp sum ok] 28390+ A?
>> code.msdn.microsoft.com. (41)
>> E..E.. at .@.kq..E..&.....5.1..n............code.msdn microsoft.com.....
>>
>> if anyone confirm, I'm open a new redmine ticket.
>>
>> fp with suricata v1.4.5
>> fp with suricata v1.4.6
>> fp with suricata v2.0beta1
>
>
> Looks like a false positive indeed. Can you open a ticket?
>
> Thanks!
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
More information about the Oisf-devel
mailing list