[Oisf-devel] RE : sctp fp on suricata engine

Victor Julien victor at inliniac.net
Tue Jan 27 22:20:52 UTC 2015 

On 01/27/2015 09:21 PM, rmkml wrote:
> Anyone interested please? 

Hi Rmkml, can you open the ticket? I will look at it later.

Cheers,
Victor

> 
> Regards 
> @Rmkml 
> 
> 
> 
> -------- Message d'origine --------
> De : rmkml <rmkml at yahoo.fr>
> Date : 18/01/2015 01:27 (GMT+01:00)
> À : oisf-devel at openinfosecfoundation.org
> Cc : rmkml at yahoo.fr
> Objet : sctp fp on suricata engine
> 
> Hello,
> 
> First, Happy New Year all and  Thx for Suricata developpment!
> 
> I'm continue Suricata testing and 1) found a fp with this (simplified)
> sig on joigned sctp pcap file:
> 
> alert ip any any -> any any (msg:"SCTP Suricata test 1"; ip_proto:132;
> content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin;
> sid:1; rev:1; )
> 
> -> Suricata v2.0.6 fire or v2.1beta2 fire but NOT snort2.
> 
> 02/18/2005-09:49:58.694007 [**] [1:1:1] SCTP Suricata test 1 [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> {SCTP} 192.168.170.56:7 -> 192.168.170.8:7
> 
> tcpdump dump with joigned sctp pcap file:
> 
> 09:49:58.694007 IP (tos 0x0, ttl 128, id 45300, offset 0, flags [none],
> proto SCTP (132), length560)
>   192.168.170.56.7 > 192.168.170.8.7: sctp
>    1) [DATA] (U)(B)(E) [TSN: 13852] [SID: 8] [SSEQ 0] [PPID 0x0] [Payload]
>    0x0000:  4500 0230 b0f4 0000 8084 b1c3 c0a8 aa38  E..0...........8
>    0x0010:  c0a8 aa08 0007 0007 4323 2544 3ade fb02  ........C#%D:...
>    0x0020:  0007 0210 0000 361c 0008 0000 0000 0000  ......6.........
>             ---------
>    ...
> 
> 
> 2) or suricata fp (but not snort2) with this similar sig without
> ip_proto:132 :
> 
> alert ip any any -> any any (msg:"SCTP Suricata test 2"; content:"|00 07
> 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:2; rev:1; )
> 
> 02/18/2005-09:49:58.694007 [**] [1:2:1] SCTP Suricata test 3 [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> {SCTP} 192.168.170.56:7 -> 192.168.170.8:7
> 
> 
> 3) for information, post a true sig sctp fire:
> 
> alert sctp any any -> any any (msg:"SCTP Suricata test 3"; content:"|00
> 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:3; rev:1; )
> 
> 
> If you confirm 1) and 2), I'm open a new redmine ticket.
> 
> Regards
> @Rmkml
> 
> 
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list