[Oisf-users] Suricata 1.4 Checksums only checked for TCP packets?

Anoop Saldanha anoopsaldanha at gmail.com
Wed Jan 30 17:28:09 UTC 2013 

On Wed, Jan 30, 2013 at 10:04 PM, Vincent Fang <vincent.y.fang at gmail.com> wrote:
> So there's a setting in suricata.yaml called
>
> checksum-validation:no
>
> Is that independent of this keyword used in the rules or are they linked
> such that yes means these keywords would be active and no would mean not
> active?
>

checksum-validation isn't related to the csum-* keywords.
Checksum-validation is used by the tcp stream engine to determine if
it should validate tcp checksums or not, before sending the payloads
for stream reassembly.

>
> On Wed, Jan 30, 2013 at 5:30 AM, Victor Julien <lists at inliniac.net> wrote:
>>
>> On 01/29/2013 05:56 PM, Vincent Fang wrote:
>> > I couldn't find these keywords in the online documentation. Do these go
>> > in the suricata.yaml and what's the format to enable these modes?
>>
>> Those are rule keywords. In the "decoder-events.rules" file we ship with
>> the source you'll find examples:
>>
>> # checksum rules
>> alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum";
>> ipv4-csum:invalid; sid:2200073; rev:1;)
>> alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum";
>> tcpv4-csum:invalid; sid:2200074; rev:1;)
>> alert udp any any -> any any (msg:"SURICATA UDPv4 invalid checksum";
>> udpv4-csum:invalid; sid:2200075; rev:1;)
>> alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum";
>> icmpv4-csum:invalid; sid:2200076; rev:1;)
>> alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum";
>> tcpv6-csum:invalid; sid:2200077; rev:1;)
>> alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum";
>> udpv6-csum:invalid; sid:2200078; rev:1;)
>> alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum";
>> icmpv6-csum:invalid; sid:2200079; rev:1;)
>>
>>
>> >
>> > On Tue, Jan 29, 2013 at 5:22 AM, Victor Julien <lists at inliniac.net
>> > <mailto:lists at inliniac.net>> wrote:
>> >
>> >     On 01/28/2013 08:52 PM, Vincent Fang wrote:
>> >     > I was reading through the online documentation and it only
>> > indicates
>> >     > that it verifies the checksums for TCP packets. What about UDP or
>> > IP
>> >     > checksums?
>> >
>> >     The TCP engine checks TCP checksums for by default to prevent
>> > various
>> >     TCP reassembly evasion issues. Other checksums can be checked by
>> > using
>> >     the ipv4-csum, tcpv4-csum, tcpv6-csum, udpv4-csum, udpv6-csum,
>> >     icmpv4-csum and icmpv6-csum keywords.
>> >


-- 
Anoop Saldanha

More information about the Oisf-users mailing list