[Oisf-users] Bad IPv6 events on UDP packets

Andreas Herz andi at geekosphere.org
Wed Nov 23 20:58:50 UTC 2016 

Hi Martijn,

we need to look into that, could you be so kind to submit a bugreport
with those details at our redmine?

https://redmine.openinfosecfoundation.org/projects/suricata/issues

Thanks!

On 22/11/16 at 14:47, Martijn van Oosterhout wrote:
> Hi,
> 
> We're getting strange IPv6 events on traffic that isn't IPv6 but plain
> UDP/IPv4 packets. Concretely, the rule is:
> 
> alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension
> header"; decode-event:ipv6.trunc_exthdr; sid:2200014; rev:1;)
> 
> The packet looks like so:
> 16:01:26.988695 IP 101.102.103.104.45657 > 97.98.99.100.12340: UDP, length
> 54
>     0x0000:  d46d 50b4 b901 74a2 e6a2 a947 0800 4500  .mP...t....G..E.
>     0x0010:  0052 f717 0000 4011 1b31 6566 6768 6162  .R.... at ..1efghab
>     0x0020:  6364 b259 3034 003e 96c2 6482 6af8 000e  cd.Y04.>..d.j...
>     0x0030:  3c83 399c 9d0e 08a6 e2b7 64b1 ca33 de5a  <.9.......d..3.Z
>     0x0040:  3453 8110 324e 6855 1945 661d 73dd 50d6  4S..2NhU.Ef.s.P.
>     0x0050:  c39f 6660 d106 d5d8 fb1a 38c7 2ef4 7aa6  ..f`......8...z.
> 
> (attached for convenience)
> 
> The resulting event looks like:
> {"alert_severity": 3, "alert_category": "", "protocol": "IPv6-Opts",
> "event_type": "alert", "timestamp": "2016-11-17T15:01:26.988695+0000",
> "source_ip": "399c:9d0e:08a6:e2b7:64b1:ca33:de5a:3453", "alert_gid": 1,
> "destination_ip": "8110:324e:6855:1945:661d:73dd:50d6:c39f",
> "alert_signature_id": 2200014, "alert_action": "allowed",
> "alert_signature": "SURICATA IPv6 truncated extension header", "alert_rev":
> 1, "uuid": "8b9893c0-3e0c-4562-9a18-d25697c08bab"}
> 
> This is completely reproducible here. As you can see somehow suricata is
> convinced it's an IPv6 packet when it clearly isn't. What worse is that the
> alert message hides the fact that it was actually a UDP packet. If you set
> Suricata to log packet data it only logs from 6af8000e... (offset 2c) so
> you can't figure it out that way. There is no flow_id in the log so you
> can't find it that way either. The above was found eventually by doing
> content search on the PCAPs.
> 
> Presumably this is due to some aggressive protocol detection but I don't
> see any way that suricata could have decided that packet was IPv6. Is this
> something that can be tweaked?
> 
> Suricata 3.1.
> 
> Thanks in advance,
> -- 
> Martijn van Oosterhout <kleptog at gmail.com> http://svana.org/kleptog/


> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net


-- 
Andreas Herz

More information about the Oisf-users mailing list