Different detection from rules when UDP header is broken

Hi, I don’t know where to file a bug report, so I wrote it here.

This rule detects broken UDP packets.

alert udp $EXTERNAL_NET :1024 <> $HOME_NET 0 (msg:"UDP Port 0"; sid:1;)

The broken UDP packet is this.

udpport0.pcap (160 Bytes)

Here’s the detection result.

05/30/2022-12:34:15.240177  [**] [1:1:0] UDP Port 0 [**] [Classification: (null)] [Priority: 3] {UDP} 192.168.100.102:0 -> 192.0.2.1:0

my environment
Version: 6.0.5 RELEASE
Installation: RPM package from copr
OS: Rocky Linux 8.5

If there is any other information needed, I will provide it.

Hello Toushimi,

thanks for your report!
I’ve created an issue in our project tracker (Bug #5379: detect/udp: different detection from rules when UDP header is broken - Suricata - Open Information Security Foundation) and will investigate it, with time :slight_smile:

We’ll reach out if we need more info, too!

1 Like

A similar error occurred with TCP.
It appears that it is not limited to UDP.

Oh, ok, thanks for pointing that out. (and sorry for the late answer!)

If you have anything from that other error that you could share (if you prefer, you can also share via a private message), that would be appreciated :slight_smile:

In the mean time, I’ve updated the ticket accordingly.