Issues getting alerting from TOS 34 & 46

bcarlin · April 6, 2020, 5:29pm

I am having trouble getting ip tos to fire an alert. In the pcap below, I have AF41 (34) and EF (46) DSCP tagged traffic.

I can filter this traffic in wireshark:
ip.dsfield.dscp == 34 or ip.dsfield.dscp == 46

I have tried several rule permutations (see below) to try and get an alert to fire. Can anyone point me in the right direction?

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:to_server; classtype:not-suspicious; sid:202004; rev:1;)

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; classtype:not-suspicious; sid:202004; rev:1;)

alert ip any any -> any any (msg:“Differentiated Services Codepoint: AF41”; tos:34; flow:established; classtype:not-suspicious; sid:202004; rev:1;)

Andreas_Herz · April 8, 2020, 8:55pm

I can reproduce the issue. Can you fill a bug report in our redmine issue tracker?

bcarlin · April 14, 2020, 1:06pm

Jeff_Lucovsky · May 2, 2020, 1:40pm

Hi Brian,

Can you try different values? For 34 use 136; for 46 use 184.

These values are derived from the values you’re using right-shifted by 2 bits.

We will be improving our documentation for the tos keyword; for now, try these values and let us know how it works.

Thanks

bcarlin · May 11, 2020, 8:45pm

Hi Jeff,

Thanks for looking into this and using the right-shifted values works for me. Thanks!

Brian

Topic		Replies	Views
Query about custom rule	12	232	December 18, 2023
Can not get SSH alert	7	322	November 27, 2023
Help understanding UDP flows and alerting Rules rules , suricata	6	1581	June 30, 2022
Except trusted IP Help	10	702	February 25, 2021
Alert triggered but nothing in the pcap Rules rules , suricata	2	378	September 19, 2022