Custom rule automatically triggers

crimtoast · December 9, 2024, 6:20am

Hello I am new to studying Suricata and Packets,

I am using Suricata in a VM in AWS. I created a custom rule that should drop any packets if the IPv4 header is greater than 60 bytes. I’ve used the ipv4.hdr keyword and byte_test.

However, everytime I start up Suricata, the custom rule triggers even if I haven’t sent test packets yet. I think it detects a false positive. Im viewing the log file in /var/log/suricata/fast.log

Rule:
drop ip any any → any any (msg:“IPv4 header greater than 60 bytes”; ipv4.hdr; byte_test:1,>,15,0,relative,sid:10012; rev:1;)

My question is, are IPv4 headers with more than 60 bytes are malicious? How can I tweak this rule so it will not drop false positives.

Thank you.

crimtoast · December 16, 2024, 3:31am

Any suggestion or insights are very much appreciated. Thanks

Andreas_Herz · February 12, 2025, 9:24pm

Can you share your suricata.yaml config and how you run Suricata? Ideally also at stats.log and suricata.log.

Topic		Replies	Views
Can't trigger custom rules Help	3	1013	February 4, 2022
Custom rule not triggering (newbie warning!) [SOLVED] Rules	3	1001	October 20, 2022
Testing ping alert rule Rules suricata	5	4579	July 27, 2022
Rule threshold configuration Rules rules , suricata	2	1567	May 12, 2022
The performance overhead of pkt-rules is high Help	10	70	January 7, 2025

Custom rule automatically triggers

Related topics