[Oisf-users] Bad IPv6 events on UDP packets

Victor Julien lists at inliniac.net
Thu Nov 24 15:02:55 UTC 2016 

On 22-11-16 14:47, Martijn van Oosterhout wrote:
> Hi,
> 
> We're getting strange IPv6 events on traffic that isn't IPv6 but plain
> UDP/IPv4 packets. Concretely, the rule is:
> 
> alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension
> header"; decode-event:ipv6.trunc_exthdr; sid:2200014; rev:1;)
> 
> The packet looks like so:
> 16:01:26.988695 IP 101.102.103.104.45657 > 97.98.99.100.12340: UDP,
> length 54
>     0x0000:  d46d 50b4 b901 74a2 e6a2 a947 0800 4500  .mP...t....G..E.
>     0x0010:  0052 f717 0000 4011 1b31 6566 6768 6162  .R.... at ..1efghab
>     0x0020:  6364 b259 3034 003e 96c2 6482 6af8 000e  cd.Y04.>..d.j...
>     0x0030:  3c83 399c 9d0e 08a6 e2b7 64b1 ca33 de5a  <.9.......d..3.Z
>     0x0040:  3453 8110 324e 6855 1945 661d 73dd 50d6  4S..2NhU.Ef.s.P.
>     0x0050:  c39f 6660 d106 d5d8 fb1a 38c7 2ef4 7aa6  ..f`......8...z.
> 
> (attached for convenience)
> 
> The resulting event looks like:
> {"alert_severity": 3, "alert_category": "", "protocol": "IPv6-Opts",
> "event_type": "alert", "timestamp": "2016-11-17T15:01:26.988695+0000",
> "source_ip": "399c:9d0e:08a6:e2b7:64b1:ca33:de5a:3453", "alert_gid": 1,
> "destination_ip": "8110:324e:6855:1945:661d:73dd:50d6:c39f",
> "alert_signature_id": 2200014, "alert_action": "allowed",
> "alert_signature": "SURICATA IPv6 truncated extension header",
> "alert_rev": 1, "uuid": "8b9893c0-3e0c-4562-9a18-d25697c08bab"}
> 
> This is completely reproducible here. As you can see somehow suricata is
> convinced it's an IPv6 packet when it clearly isn't. What worse is that
> the alert message hides the fact that it was actually a UDP packet. If
> you set Suricata to log packet data it only logs from 6af8000e...
> (offset 2c) so you can't figure it out that way. There is no flow_id in
> the log so you can't find it that way either. The above was found
> eventually by doing content search on the PCAPs.
> 
> Presumably this is due to some aggressive protocol detection but I don't
> see any way that suricata could have decided that packet was IPv6. Is
> this something that can be tweaked?
> 
> Suricata 3.1.

This is probably another case of failing teredo auto detection.

https://redmine.openinfosecfoundation.org/issues/744

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list