[Oisf-devel] sctp fp on suricata engine

rmkml rmkml at yahoo.fr
Sun Jan 18 00:27:00 UTC 2015 

Hello,

First, Happy New Year all and  Thx for Suricata developpment!

I'm continue Suricata testing and 1) found a fp with this (simplified) sig on joigned sctp pcap file:

alert ip any any -> any any (msg:"SCTP Suricata test 1"; ip_proto:132; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:1; rev:1; )

-> Suricata v2.0.6 fire or v2.1beta2 fire but NOT snort2.

02/18/2005-09:49:58.694007 [**] [1:1:1] SCTP Suricata test 1 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {SCTP} 192.168.170.56:7 -> 192.168.170.8:7

tcpdump dump with joigned sctp pcap file:

09:49:58.694007 IP (tos 0x0, ttl 128, id 45300, offset 0, flags [none], proto SCTP (132), length560)
  192.168.170.56.7 > 192.168.170.8.7: sctp
   1) [DATA] (U)(B)(E) [TSN: 13852] [SID: 8] [SSEQ 0] [PPID 0x0] [Payload]
   0x0000:  4500 0230 b0f4 0000 8084 b1c3 c0a8 aa38  E..0...........8
   0x0010:  c0a8 aa08 0007 0007 4323 2544 3ade fb02  ........C#%D:...
   0x0020:  0007 0210 0000 361c 0008 0000 0000 0000  ......6.........
            ---------
   ...


2) or suricata fp (but not snort2) with this similar sig without ip_proto:132 :

alert ip any any -> any any (msg:"SCTP Suricata test 2"; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:2; rev:1; )

02/18/2005-09:49:58.694007 [**] [1:2:1] SCTP Suricata test 3 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {SCTP} 192.168.170.56:7 -> 192.168.170.8:7


3) for information, post a true sig sctp fire:

alert sctp any any -> any any (msg:"SCTP Suricata test 3"; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:3; rev:1; )


If you confirm 1) and 2), I'm open a new redmine ticket.

Regards
@Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata_sctp.pcap
Type: application/vnd.tcpdump.pcap
Size: 720 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20150118/9a58b581/attachment.bin>

More information about the Oisf-devel mailing list