From fd4e1460cfe5b62e6640a19d43ae84c489eab353 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 2 Dec 2011 08:19:54 +0100 Subject: [PATCH] Add checksum validation rules to decoder events rules. --- rules/decoder-events.rules | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/rules/decoder-events.rules b/rules/decoder-events.rules index bceb696cee..fa16921fe0 100644 --- a/rules/decoder-events.rules +++ b/rules/decoder-events.rules @@ -74,3 +74,11 @@ alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Fragmentation overlap"; alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_too_large; sid:2200071; rev:1;) alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; sid:2200072; rev:1;) +# checksum rules +alert ip any any -> any any (msg:"SURICATA IPv4 invalid checksum"; ipv4-csum:invalid; sid:2200073; rev:1;) +alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; sid:2200074; rev:1;) +alert udp any any -> any any (msg:"SURICATA UDPv4 invalid checksum"; udpv4-csum:invalid; sid:2200075; rev:1;) +alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-csum:invalid; sid:2200076; rev:1;) +alert tcp any any -> any any (msg:"SURICATA TCPv6 invalid checksum"; tcpv6-csum:invalid; sid:2200077; rev:1;) +alert udp any any -> any any (msg:"SURICATA UDPv6 invalid checksum"; udpv6-csum:invalid; sid:2200078; rev:1;) +alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; sid:2200079; rev:1;)