[Oisf-users] Information on rule 2200037

Boris Grijalva tioz01 at hotmail.com
Mon Jul 30 07:12:12 UTC 2018 

Hi,


sorry for the basic question, but what exactly is rule 2200037 triggering on?

The definition of the rule is:


alert pkthdr any any -> any any (msg:"SURICATA TCP duplicated option"; decode-event:tcp.opt_duplicate; sid:2200037; rev:1;)


I went on to read the source code and it seems it triggers if it detects the use of the SACK option in a packet, which is actually not bad unless you don't want to use the SACK option:


switchtype<https://doxygen.openinfosecfoundation.org/app-layer-dns-common_8h.html#acb5cfd209ba75c853d03f701e7f91679>

90  case TCP_OPT_WS<https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a0917daaa1f4a3047c14cbbbf69e141a6>:
91  if (tcp_opts[tcp_opt_cnt].len != TCP_OPT_WS_LEN<https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a9fd61daadb74d49b60f89c994009e4e8>) {
92  ENGINE_SET_EVENT<https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_INVALID_LEN<https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a34b7a336382798762b1b252ddda5d8f7>);
93  } else {
94  if (p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ws<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a9c0cae0905a677d60ee604ce3b2c20c1>.type<https://doxygen.openinfosecfoundation.org/structTCPOpt__.html#ac78dbf57e2dccb39ca85c44ab466f6f6> != 0) {
95  ENGINE_SET_EVENT<https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_DUPLICATE<https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a826a328ed2752be108de28ef71ab1867>);
96  } else {
97  SET_OPTS<https://doxygen.openinfosecfoundation.org/decode-tcp_8c.html#af2b3fb7fd310a00638a16c14c1c85555>(p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ws<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a9c0cae0905a677d60ee604ce3b2c20c1>, tcp_opts[tcp_opt_cnt]);
98  }
99  }
100  break;
101  case TCP_OPT_MSS<https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a691688604655ea8943d15f14c60027d8>:
102  if (tcp_opts[tcp_opt_cnt].len != TCP_OPT_MSS_LEN<https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a12f3bf821224b8e7b48a57ed3cea15cf>) {
103  ENGINE_SET_EVENT<https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_INVALID_LEN<https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a34b7a336382798762b1b252ddda5d8f7>);
104  } else {
105  if (p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.mss<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a12b9bc061984016142eacaee0e410b32>.type<https://doxygen.openinfosecfoundation.org/structTCPOpt__.html#ac78dbf57e2dccb39ca85c44ab466f6f6> != 0) {
106  ENGINE_SET_EVENT<https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_DUPLICATE<https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a826a328ed2752be108de28ef71ab1867>);
107  } else {
108  SET_OPTS<https://doxygen.openinfosecfoundation.org/decode-tcp_8c.html#af2b3fb7fd310a00638a16c14c1c85555>(p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.mss<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a12b9bc061984016142eacaee0e410b32>, tcp_opts[tcp_opt_cnt]);
109  }
110  }
111  break;
112  case TCP_OPT_SACKOK<https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#aefb4805eacbb5ac70a0f593856d1e3a3>:
113  if (tcp_opts[tcp_opt_cnt].len != TCP_OPT_SACKOK_LEN<https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a13cda29de3920cf0cdb7507778079183>) {
114  ENGINE_SET_EVENT<https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_INVALID_LEN<https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a34b7a336382798762b1b252ddda5d8f7>);
115  } else {
116  if (p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.sackok<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#ac165518d9d082f25f48fda84f97469d7>.type<https://doxygen.openinfosecfoundation.org/structTCPOpt__.html#ac78dbf57e2dccb39ca85c44ab466f6f6> != 0) {
117  ENGINE_SET_EVENT<https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_DUPLICATE<https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a826a328ed2752be108de28ef71ab1867>);
118  } else {
119  SET_OPTS<https://doxygen.openinfosecfoundation.org/decode-tcp_8c.html#af2b3fb7fd310a00638a16c14c1c85555>(p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.sackok<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#ac165518d9d082f25f48fda84f97469d7>, tcp_opts[tcp_opt_cnt]);
120  }
121  }
122  break;
123  case TCP_OPT_TS<https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a01343751539d3b88a2c24a85148c84b1>:
124  if (tcp_opts[tcp_opt_cnt].len != TCP_OPT_TS_LEN<https://doxygen.openinfosecfoundation.org/decode-tcp_8h.html#a205e00af098d2d9ea5bc06d1e33d0c53>) {
125  ENGINE_SET_EVENT<https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_INVALID_LEN<https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a34b7a336382798762b1b252ddda5d8f7>);
126  } else {
127  if (p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ts_set<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#ab8bcc6d9e82e28ab16fa45db6f0a30a0>) {
128  ENGINE_SET_EVENT<https://doxygen.openinfosecfoundation.org/decode_8h.html#ae582a247ff75a01700387306b68b4c02>(p,TCP_OPT_DUPLICATE<https://doxygen.openinfosecfoundation.org/decode-events_8h.html#ab48899087cc647f0f791ed0c459adc53a826a328ed2752be108de28ef71ab1867>);
129  } else {
130  uint32_t values[2];
131  memcpy(&values, tcp_opts[tcp_opt_cnt].data, sizeof(values));
132  p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ts_val<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a2f915ee3e94d19bb4b37d8824a3044f1> = SCNtohl<https://doxygen.openinfosecfoundation.org/suricata-common_8h.html#ada749cfd9b340a39f613d2c4af556537>(values[0]);
133  p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ts_ecr<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#a97247c92e244706e0dc6db7313d1139c> = SCNtohl<https://doxygen.openinfosecfoundation.org/suricata-common_8h.html#ada749cfd9b340a39f613d2c4af556537>(values[1]);
134  p->tcpvars<https://doxygen.openinfosecfoundation.org/structPacket__.html#aad18a5604814aa12c37d24d5fc0cbcfa>.ts_set<https://doxygen.openinfosecfoundation.org/structTCPVars__.html#ab8bcc6d9e82e28ab16fa45db6f0a30a0> = TRUE<https://doxygen.openinfosecfoundation.org/suricata-common_8h.html#aa8cecfc5c5c054d2875c03e77b7be15d>;
135  }
136  }
137  break;



But this is my first attempt at trying to understand the alerts I am getting, so any input I can get is appreciated, thanks!!


(btw, this question is unrelated to bug 1858)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180730/63d0384f/attachment-0001.html>

More information about the Oisf-users mailing list