Suricata can't define IP options

Dion · February 20, 2024, 7:56am

Hello,
I try use ipopts : ssrr in my rules. But I get alert any case when set any IP flag in packet.

Jeff_Lucovsky · February 20, 2024, 1:35pm

What version of Suricata are you using?
What platform and release (Linux x.y, Macos 10.x, …)?
Can you provide the rule?

Dion · February 21, 2024, 1:16pm

Suricata version: 6.0.4
Platform: Linux
Rule: alert ip any any -> any any (ipopts: ssrr; msg: "issue"; rev: 1; sid:1;)

Dion · February 28, 2024, 11:56am

Do you have some updates? =)

Andreas_Herz · February 28, 2024, 8:52pm

Can you also provide the pcap?

Dion · March 12, 2024, 12:29pm

84b58b808f9f81c09728cb923a2c0eb0.pcap (730 Bytes)
Yes, sure

Dion · March 18, 2024, 10:30am

Do you have some updates? =)

Jeff_Lucovsky · March 18, 2024, 12:53pm

Thanks for bringing this to our attention. There may be an issue with how this is handled so I created Bug #6864: Detect: ipopts keyword misfires - Suricata - Open Information Security Foundation to track it.

Dion · March 19, 2024, 10:49am

Thank you very match!

Jeff_Lucovsky · March 23, 2024, 1:21pm

I’ve prepared a PR with the changes – if you’re able to build with my PR, let me know if this works for you

github.com/OISF/suricata

detect/ipopts: Multiple option support

OISF:master ← jlucovsky:6864/2

opened 12:59PM - 22 Mar 24 UTC

jlucovsky

+43 -58

Continuation of #10688 Support multiple options. This PR changes the IP o…ption definitions from an enum into bit values so the values added during packet parsing are compared properly when evaluation with an IP option specified with `ipopts` occurs. Link to [redmine](https://redmine.openinfosecfoundation.org/projects/suricata/issues) ticket: [6864](https://redmine.openinfosecfoundation.org/issues/6864) Describe changes: - Misc. cleanups - Move IPv4 option values to a bit mask - suricata-verify test to validate each option lacking coverage. Updates: - Remove unneeded PCRE usage ### Provide values to any of the below to override the defaults. To use a pull request use a branch name like `pr/N` where `N` is the pull request number. Alternatively, `SV_BRANCH` may also be a link to an OISF/suricata-verify pull-request. ``` SV_REPO= SV_BRANCH=pr/1722 SU_REPO= SU_BRANCH= LIBHTP_REPO= LIBHTP_BRANCH= ```

Topic		Replies	Views
How can I write some rules in IPS not just reset http connections Rules ips , rules , suricata	1	473	February 28, 2022
Create rules on pfsense Rules ips , pfsense , suricata	2	733	September 2, 2022
How to use ipset in suricata.rules Rules rules	6	322	August 24, 2023
Rule using http does not matching get request Rules	2	1023	January 18, 2022
What is the proper way to handle large ip list in Suricata rules? Rules	1	513	August 14, 2021

Suricata can't define IP options

Related Topics