[Oisf-users] Information on rule 2200037
Victor Julien
lists at inliniac.net
Sat Aug 4 07:56:17 UTC 2018
On 30-07-18 09:12, Boris Grijalva wrote:
>
> Hi,
>
>
> sorry for the basic question, but what exactly is rule 2200037
> triggering on?
>
> The definition of the rule is:
>
>
> alert pkthdr any any -> any any (msg:"SURICATA TCP duplicated option";
> decode-event:tcp.opt_duplicate; sid:2200037; rev:1;)
>
>
> I went on to read the source code and it seems it triggers if it detects
> the use of the SACK option in a packet, which is actually not bad unless
> you don't want to use the SACK option:
>
>
> switchtype
> <https://doxygen.openinfosecfoundation.org/app-layer-dns-common_8h.html#acb5cfd209ba75c853d03f701e7f91679>
>
> 90 case TCP_OPT_WS
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a0917daaa1f4a3047c14cbbbf69e141a6>:
> 91 if (tcp_opts[tcp_opt_cnt].len != TCP_OPT_WS_LEN
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a9fd61daadb74d49b60f89c994009e4e8>)
> {
> 92 ENGINE_SET_EVENT
> <https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_INVALID_LEN
> <https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a34b7a336382798762b1b252ddda5d8f7>);
> 93 } else {
> 94 if (p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ws
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a9c0cae0905a677d60ee604ce3b2c20c1>.type
> <https://doxygen.openinfosecfoundation.org/structTCPOpt__.html#ac78dbf57e2dccb39ca85c44ab466f6f6>
> != 0) {
> 95 ENGINE_SET_EVENT
> <https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_DUPLICATE
> <https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a826a328ed2752be108de28ef71ab1867>);
> 96 } else {
> 97 SET_OPTS
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8c.html#af2b3fb7fd310a00638a16c14c1c85555>(p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ws
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a9c0cae0905a677d60ee604ce3b2c20c1>,
> tcp_opts[tcp_opt_cnt]);
> 98 }
> 99 }
> 100 break;
> 101 case TCP_OPT_MSS
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a691688604655ea8943d15f14c60027d8>:
> 102 if (tcp_opts[tcp_opt_cnt].len != TCP_OPT_MSS_LEN
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a12f3bf821224b8e7b48a57ed3cea15cf>)
> {
> 103 ENGINE_SET_EVENT
> <https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_INVALID_LEN
> <https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a34b7a336382798762b1b252ddda5d8f7>);
> 104 } else {
> 105 if (p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.mss
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a12b9bc061984016142eacaee0e410b32>.type
> <https://doxygen.openinfosecfoundation.org/structTCPOpt__.html#ac78dbf57e2dccb39ca85c44ab466f6f6>
> != 0) {
> 106 ENGINE_SET_EVENT
> <https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_DUPLICATE
> <https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a826a328ed2752be108de28ef71ab1867>);
> 107 } else {
> 108 SET_OPTS
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8c.html#af2b3fb7fd310a00638a16c14c1c85555>(p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.mss
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a12b9bc061984016142eacaee0e410b32>,
> tcp_opts[tcp_opt_cnt]);
> 109 }
> 110 }
> 111 break;
> 112 case TCP_OPT_SACKOK
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#aefb4805eacbb5ac70a0f593856d1e3a3>:
> 113 if (tcp_opts[tcp_opt_cnt].len != TCP_OPT_SACKOK_LEN
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a13cda29de3920cf0cdb7507778079183>)
> {
> 114 ENGINE_SET_EVENT
> <https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_INVALID_LEN
> <https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a34b7a336382798762b1b252ddda5d8f7>);
> 115 } else {
> 116 if (p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.sackok
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#ac165518d9d082f25f48fda84f97469d7>.type
> <https://doxygen.openinfosecfoundation.org/structTCPOpt__.html#ac78dbf57e2dccb39ca85c44ab466f6f6>
> != 0) {
> 117 ENGINE_SET_EVENT
> <https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_DUPLICATE
> <https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a826a328ed2752be108de28ef71ab1867>);
> 118 } else {
> 119 SET_OPTS
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8c.html#af2b3fb7fd310a00638a16c14c1c85555>(p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.sackok
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#ac165518d9d082f25f48fda84f97469d7>,
> tcp_opts[tcp_opt_cnt]);
> 120 }
> 121 }
> 122 break;
> 123 case TCP_OPT_TS
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a01343751539d3b88a2c24a85148c84b1>:
> 124 if (tcp_opts[tcp_opt_cnt].len != TCP_OPT_TS_LEN
> <https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a205e00af098d2d9ea5bc06d1e33d0c53>)
> {
> 125 ENGINE_SET_EVENT
> <https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_INVALID_LEN
> <https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a34b7a336382798762b1b252ddda5d8f7>);
> 126 } else {
> 127 if (p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ts_set
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#ab8bcc6d9e82e28ab16fa45db6f0a30a0>)
> {
> 128 ENGINE_SET_EVENT
> <https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_DUPLICATE
> <https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a826a328ed2752be108de28ef71ab1867>);
> 129 } else {
> 130 uint32_t values[2];
> 131 memcpy(&values, tcp_opts[tcp_opt_cnt].data, sizeof(values));
> 132 p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ts_val
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a2f915ee3e94d19bb4b37d8824a3044f1>
> = SCNtohl
> <https://doxygen.openinfosecfoundation.org/suricata-common_8h.html#ada749cfd9b340a39f613d2c4af556537>(values[0]);
> 133 p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ts_ecr
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a97247c92e244706e0dc6db7313d1139c>
> = SCNtohl
> <https://doxygen.openinfosecfoundation.org/suricata-common_8h.html#ada749cfd9b340a39f613d2c4af556537>(values[1]);
> 134 p->tcpvars
> <https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ts_set
> <https://doxygen.openinfosecfoundation.org/structTCPVars__.html#ab8bcc6d9e82e28ab16fa45db6f0a30a0>
> = TRUE
> <https://doxygen.openinfosecfoundation.org/suricata-common_8h.html#aa8cecfc5c5c054d2875c03e77b7be15d>;
> 135 }
> 136 }
> 137 break;
>
>
>
> But this is my first attempt at trying to understand the alerts I am
> getting, so any input I can get is appreciated, thanks!!
>
>
> (btw, this question is unrelated to bug 1858)
>
The code detects if a TCP option (such as SACK or WSCALE) has been set
twice (or more). Do you have a pcap?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list