What does the alert SURICATA zero length padN option means?

3,910 views
Skip to first unread message

Juan Verhook

unread,
Aug 15, 2016, 2:50:42 PM8/15/16
to security-onion
I got this from apple.com with severity 3, it should be safe.

{"timestamp":"2016-08-14T15:09:20.543837","event_type":"alert","proto":"IPv6-ICMP","icmp_type":143,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":2200094,"rev":1,"signature":"SURICATA zero length padN option","category":"","severity":3}}
Message has been deleted

Wes

unread,
Aug 16, 2016, 6:27:50 PM8/16/16
to security-onion
On Monday, August 15, 2016 at 2:50:42 PM UTC-4, Juan Verhook wrote:
> I got this from apple.com with severity 3, it should be safe.
>
> {"timestamp":"2016-08-14T15:09:20.543837","event_type":"alert","proto":"IPv6-ICMP","icmp_type":143,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":2200094,"rev":1,"signature":"SURICATA zero length padN option","category":"","severity":3}}

Juan,

To get a better understanding of rules, I would try taking a look here:

https://media.readthedocs.org/pdf/jasonish-suricata/latest/jasonish-suricata.pdf

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node27.html

Remember, everyone's environment is different and certain items may be more important to some organizations than to others. It is important to be able to understand the signatures and tune your equipment to the best fit for your environment.

Thanks,
Wes

Victor Julien

unread,
Aug 17, 2016, 10:37:44 AM8/17/16
to securit...@googlegroups.com
On 15-08-16 20:27, Juan Verhook wrote:
> I got this from apple.com with severity 3, it should be safe.
>
> {"timestamp":"2016-08-14T15:09:20.543837","event_type":"alert","proto":"IPv6-ICMP","icmp_type":143,"icmp_code":0,"alert":{"action":"allowed","gid":1,"signature_id":2200094,"rev":1,"signature":"SURICATA zero length padN option","category":"","severity":3}}
>

Are you able to share a pcap of this traffic?

PadN is used for padding in the IPv6 header. Suricata flags PadN with a
length of 0 as odd. The RFC doesn't explicitly forbid it though:
https://tools.ietf.org/html/rfc2460 (page 9). I suppose it could be
valid as the RFC says that PadN is preferred over multiple Pad1 and PadN
with length 0 still takes 2 octets.

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

Kris Springer

unread,
Aug 1, 2017, 2:44:28 PM8/1/17
to security-onion
I have IPV6=no configured in /etc/default/ufw with the understanding that it disabled IPv6 on the box. Is there a different SO config file to disable IPv6?

Kris Springer

unread,
Aug 1, 2017, 2:46:54 PM8/1/17
to security-onion
Sorry, I should have also mentioned that I am getting many 'Suricata zero length padN option' alerts with source and destination IP's all showing 0.0.0.0 with No Data Sent.

Wes Lambert

unread,
Aug 1, 2017, 4:07:49 PM8/1/17
to securit...@googlegroups.com

On Tue, Aug 1, 2017 at 2:46 PM, Kris Springer <kspr...@innovateteam.com> wrote:
Sorry, I should have also mentioned that I am getting many 'Suricata zero length padN option' alerts with source and destination IP's all showing 0.0.0.0 with No Data Sent.

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages