[Oisf-users] Suricata 1.4 Checksums only checked for TCP packets?
Vincent Fang
vincent.y.fang at gmail.com
Wed Jan 30 16:34:33 UTC 2013
So there's a setting in suricata.yaml called
checksum-validation:no
Is that independent of this keyword used in the rules or are they linked
such that yes means these keywords would be active and no would mean not
active?
On Wed, Jan 30, 2013 at 5:30 AM, Victor Julien <lists at inliniac.net> wrote:
> On 01/29/2013 05:56 PM, Vincent Fang wrote:
> > I couldn't find these keywords in the online documentation. Do these go
> > in the suricata.yaml and what's the format to enable these modes?
>
> Those are rule keywords. In the "decoder-events.rules" file we ship with
> the source you'll find examples:
>
> # checksum rules
> alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum";
> ipv4-csum:invalid; sid:2200073; rev:1;)
> alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum";
> tcpv4-csum:invalid; sid:2200074; rev:1;)
> alert udp any any -> any any (msg:"SURICATA UDPv4 invalid checksum";
> udpv4-csum:invalid; sid:2200075; rev:1;)
> alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum";
> icmpv4-csum:invalid; sid:2200076; rev:1;)
> alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum";
> tcpv6-csum:invalid; sid:2200077; rev:1;)
> alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum";
> udpv6-csum:invalid; sid:2200078; rev:1;)
> alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum";
> icmpv6-csum:invalid; sid:2200079; rev:1;)
>
>
> >
> > On Tue, Jan 29, 2013 at 5:22 AM, Victor Julien <lists at inliniac.net
> > <mailto:lists at inliniac.net>> wrote:
> >
> > On 01/28/2013 08:52 PM, Vincent Fang wrote:
> > > I was reading through the online documentation and it only
> indicates
> > > that it verifies the checksums for TCP packets. What about UDP or
> IP
> > > checksums?
> >
> > The TCP engine checks TCP checksums for by default to prevent various
> > TCP reassembly evasion issues. Other checksums can be checked by
> using
> > the ipv4-csum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum,
> > icmpv4-csum and icmpv6-csum keywords.
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Suricata IDS Users mailing list:
> > oisf-users at openinfosecfoundation.org
> > <mailto:oisf-users at openinfosecfoundation.org>
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130130/d1a4cc68/attachment-0002.html>
More information about the Oisf-users
mailing list