[Oisf-users] Bad IPv6 events on UDP packets

Martijn van Oosterhout kleptog at gmail.com
Tue Nov 22 13:47:25 UTC 2016 

Hi,

We're getting strange IPv6 events on traffic that isn't IPv6 but plain
UDP/IPv4 packets. Concretely, the rule is:

alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension
header"; decode-event:ipv6.trunc_exthdr; sid:2200014; rev:1;)

The packet looks like so:
16:01:26.988695 IP 101.102.103.104.45657 > 97.98.99.100.12340: UDP, length
54
    0x0000:  d46d 50b4 b901 74a2 e6a2 a947 0800 4500  .mP...t....G..E.
    0x0010:  0052 f717 0000 4011 1b31 6566 6768 6162  .R.... at ..1efghab
    0x0020:  6364 b259 3034 003e 96c2 6482 6af8 000e  cd.Y04.>..d.j...
    0x0030:  3c83 399c 9d0e 08a6 e2b7 64b1 ca33 de5a  <.9.......d..3.Z
    0x0040:  3453 8110 324e 6855 1945 661d 73dd 50d6  4S..2NhU.Ef.s.P.
    0x0050:  c39f 6660 d106 d5d8 fb1a 38c7 2ef4 7aa6  ..f`......8...z.

(attached for convenience)

The resulting event looks like:
{"alert_severity": 3, "alert_category": "", "protocol": "IPv6-Opts",
"event_type": "alert", "timestamp": "2016-11-17T15:01:26.988695+0000",
"source_ip": "399c:9d0e:08a6:e2b7:64b1:ca33:de5a:3453", "alert_gid": 1,
"destination_ip": "8110:324e:6855:1945:661d:73dd:50d6:c39f",
"alert_signature_id": 2200014, "alert_action": "allowed",
"alert_signature": "SURICATA IPv6 truncated extension header", "alert_rev":
1, "uuid": "8b9893c0-3e0c-4562-9a18-d25697c08bab"}

This is completely reproducible here. As you can see somehow suricata is
convinced it's an IPv6 packet when it clearly isn't. What worse is that the
alert message hides the fact that it was actually a UDP packet. If you set
Suricata to log packet data it only logs from 6af8000e... (offset 2c) so
you can't figure it out that way. There is no flow_id in the log so you
can't find it that way either. The above was found eventually by doing
content search on the PCAPs.

Presumably this is due to some aggressive protocol detection but I don't
see any way that suricata could have decided that packet was IPv6. Is this
something that can be tweaked?

Suricata 3.1.

Thanks in advance,
-- 
Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161122/2e973f34/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipv4_packet_as_ipv6
Type: application/octet-stream
Size: 136 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161122/2e973f34/attachment-0001.obj>

More information about the Oisf-users mailing list