Different detection from rules when UDP header is broken

toushimi · May 31, 2022, 1:56am

Hi, I don’t know where to file a bug report, so I wrote it here.

This rule detects broken UDP packets.

alert udp $EXTERNAL_NET :1024 <> $HOME_NET 0 (msg:"UDP Port 0"; sid:1;)

The broken UDP packet is this.

Here’s the detection result.

05/30/2022-12:34:15.240177  [**] [1:1:0] UDP Port 0 [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.100.102:0 -> 192.0.2.1:0

my environment
Version: 6.0.5 RELEASE
Installation: RPM package from copr
OS: Rocky Linux 8.5

If there is any other information needed, I will provide it.

jufajardini · June 1, 2022, 9:32pm

Hello Toushimi,

We’ll reach out if we need more info, too!

toushimi · June 6, 2022, 1:22am

A similar error occurred with TCP.
It appears that it is not limited to UDP.

jufajardini · June 14, 2022, 12:33pm

Oh, ok, thanks for pointing that out. (and sorry for the late answer!)

If you have anything from that other error that you could share (if you prefer, you can also share via a private message), that would be appreciated

In the mean time, I’ve updated the ticket accordingly.

sbhardwaj · January 4, 2023, 7:31am

Hello!

Thank you for the report! And, thanks Juliana for creating the ticket.

We have a fix for UDP here if you’d like to give it a try: Pr 8341 and payload len fix/v1 by inashivb · Pull Request #8342 · OISF/suricata · GitHub
Do you by any chance have a pcap for TCP as well where it fails? It’s to add the tests to our infrastructure.
Thank you very much!
Apologies for the delay.

Topic		Replies	Views
Any idea why rule is not working :)	1	550	November 17, 2022
Help understanding UDP flows and alerting Rules rules , suricata	6	1561	June 30, 2022
How to write Suricata rules to detect UDP_Sweep scan with metasploit? Rules rules , suricata	3	967	January 2, 2023
Packet logging enabled, 2 hits and more then a million packets logged Rules rules , suricata	2	247	February 29, 2024
Rule for Low rate UDP flooding Help	2	1586	November 12, 2020