Hello I am new to studying Suricata and Packets,
I am using Suricata in a VM in AWS. I created a custom rule that should drop any packets if the IPv4 header is greater than 60 bytes. I’ve used the ipv4.hdr keyword and byte_test.
However, everytime I start up Suricata, the custom rule triggers even if I haven’t sent test packets yet. I think it detects a false positive. Im viewing the log file in /var/log/suricata/fast.log
Rule:
drop ip any any → any any (msg:“IPv4 header greater than 60 bytes”; ipv4.hdr; byte_test:1,>,15,0,relative,sid:10012; rev:1;)
My question is, are IPv4 headers with more than 60 bytes are malicious? How can I tweak this rule so it will not drop false positives.
Thank you.