[Oisf-users] Suricata 1.4 Checksums only checked for TCP packets?
Victor Julien
lists at inliniac.net
Wed Jan 30 10:30:20 UTC 2013
On 01/29/2013 05:56 PM, Vincent Fang wrote:
> I couldn't find these keywords in the online documentation. Do these go
> in the suricata.yaml and what's the format to enable these modes?
Those are rule keywords. In the "decoder-events.rules" file we ship with
the source you'll find examples:
# checksum rules
alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum";
ipv4-csum:invalid; sid:2200073; rev:1;)
alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum";
tcpv4-csum:invalid; sid:2200074; rev:1;)
alert udp any any -> any any (msg:"SURICATA UDPv4 invalid checksum";
udpv4-csum:invalid; sid:2200075; rev:1;)
alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum";
icmpv4-csum:invalid; sid:2200076; rev:1;)
alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum";
tcpv6-csum:invalid; sid:2200077; rev:1;)
alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum";
udpv6-csum:invalid; sid:2200078; rev:1;)
alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum";
icmpv6-csum:invalid; sid:2200079; rev:1;)
>
> On Tue, Jan 29, 2013 at 5:22 AM, Victor Julien <lists at inliniac.net
> <mailto:lists at inliniac.net>> wrote:
>
> On 01/28/2013 08:52 PM, Vincent Fang wrote:
> > I was reading through the online documentation and it only indicates
> > that it verifies the checksums for TCP packets. What about UDP or IP
> > checksums?
>
> The TCP engine checks TCP checksums for by default to prevent various
> TCP reassembly evasion issues. Other checksums can be checked by using
> the ipv4-csum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum,
> icmpv4-csum and icmpv6-csum keywords.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list