File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ # Description
2+
3+ Test SCTP sticky buffers and keywords
4+
5+ # PCAP
6+
7+ Extracted from https://www.cloudshark.org/captures/839e9b681d59
Original file line number Diff line number Diff line change 1+ alert sctp any any -> any any (sctp.hdr; content:"|01 00 00 20|"; sid:1;)
2+ alert sctp any any -> any any (sctp.chunk_type:2; sid:2;)
3+ alert sctp any any -> any any (sctp.chunk_cnt:1; sid:3;)
4+ alert sctp any any -> any any (sctp.vtag:3559606418; sid:4;)
5+ alert sctp any any -> any any (sctp.has_init; sid:5;)
6+ alert sctp any any -> any any (sctp.has_data; sid:6;)
7+ alert sctp any any -> any any (sctp.data; content:"|01 00 03 01|"; sid:7;)
Original file line number Diff line number Diff line change 1+ args :
2+ - -k none
3+
4+ checks :
5+ - filter :
6+ count : 1
7+ match :
8+ src_ip : 10.173.48.13
9+ src_port : 2906
10+ dest_ip : 88.82.6.134
11+ dest_port : 6303
12+ event_type : alert
13+ proto : SCTP
14+ pcap_cnt : 1
15+ alert.signature_id : 1
16+ sctp.vtag : 0
17+ sctp.first_chunk : 1
18+ sctp.chunk_cnt : 1
19+ sctp.has_init : true
20+ sctp.has_data : false
21+ sctp.has_abort : false
22+ - filter :
23+ count : 1
24+ match :
25+ src_ip : 88.82.6.134
26+ src_port : 6303
27+ dest_ip : 10.173.48.13
28+ dest_port : 2906
29+ event_type : alert
30+ proto : SCTP
31+ pcap_cnt : 2
32+ alert.signature_id : 2
33+ sctp.vtag : 3714634557
34+ sctp.first_chunk : 2
35+ sctp.chunk_cnt : 1
36+ sctp.has_init : true
37+ sctp.has_data : false
38+ sctp.has_abort : false
39+ - filter :
40+ count : 1
41+ match :
42+ src_ip : 10.173.48.13
43+ src_port : 2906
44+ dest_ip : 88.82.6.134
45+ dest_port : 6303
46+ event_type : alert
47+ proto : SCTP
48+ pcap_cnt : 3
49+ alert.signature_id : 3
50+ sctp.vtag : 3559606418
51+ sctp.first_chunk : 10
52+ sctp.chunk_cnt : 1
53+ sctp.has_init : false
54+ sctp.has_data : false
55+ sctp.has_abort : false
56+ - filter :
57+ count : 1
58+ match :
59+ src_ip : 10.173.48.13
60+ src_port : 2906
61+ dest_ip : 88.82.6.134
62+ dest_port : 6303
63+ event_type : alert
64+ proto : SCTP
65+ pcap_cnt : 3
66+ alert.signature_id : 4
67+ sctp.vtag : 3559606418
68+ sctp.first_chunk : 10
69+ sctp.chunk_cnt : 1
70+ sctp.has_init : false
71+ sctp.has_data : false
72+ sctp.has_abort : false
73+ - filter :
74+ count : 1
75+ match :
76+ src_ip : 10.173.48.13
77+ src_port : 2906
78+ dest_ip : 88.82.6.134
79+ dest_port : 6303
80+ event_type : alert
81+ proto : SCTP
82+ pcap_cnt : 1
83+ alert.signature_id : 5
84+ sctp.vtag : 0
85+ sctp.first_chunk : 1
86+ sctp.chunk_cnt : 1
87+ sctp.has_init : true
88+ sctp.has_data : false
89+ sctp.has_abort : false
90+ - filter :
91+ count : 1
92+ match :
93+ src_ip : 88.82.6.134
94+ src_port : 6303
95+ dest_ip : 10.173.48.13
96+ dest_port : 2906
97+ event_type : alert
98+ proto : SCTP
99+ pcap_cnt : 15
100+ alert.signature_id : 6
101+ sctp.vtag : 3714634557
102+ sctp.first_chunk : 3
103+ sctp.chunk_cnt : 4
104+ sctp.has_init : false
105+ sctp.has_data : true
106+ sctp.has_abort : false
107+ - filter :
108+ count : 1
109+ match :
110+ src_ip : 10.173.48.13
111+ src_port : 2906
112+ dest_ip : 88.82.6.134
113+ dest_port : 6303
114+ event_type : alert
115+ proto : SCTP
116+ pcap_cnt : 5
117+ alert.signature_id : 7
118+ sctp.vtag : 3559606418
119+ sctp.first_chunk : 0
120+ sctp.chunk_cnt : 1
121+ sctp.has_init : false
122+ sctp.has_data : true
123+ sctp.has_abort : false
You can’t perform that action at this time.
0 commit comments