This is an implementation of RFC 3514 for Suricata written by Guillaume Prigent and available in public domain.
The RFC 3514 has been published 1 April 2003 and define a security flag in the IPv4 header as a means of distinguishing good packets from evil packets.
Implementation details are provided for IDS
Because of their known propensity for false negatives and false positives, IDSs MUST apply a probabilistic correction factor when evaluating the evil bit.
To implement this in Suricata, we need to have access to random number. This is not provided by classic rules, so a good way to do so is to create a luajit signature.
To be able to use luajit signatures, you need to use at least suricata 1.4-beta2. And you must build it with luajit enabled. For that you need to have luajit on your system. On debian and ubuntu, you can install libluajit-5.1-dev
sudo aptitude install libluajit-5.1-dev
Once this is done, you can build Suricata
$ ./configure --enable-luajit $ make $ make install $ make install-full # install configuration and download rules
Enter into luaevilbit directory and copy evilflag.lua to rules directory
$ sudo cp evilflag.lua /usr/local/etc/suricata/rules/
You can then run
$ sudo suricata -i eth0 -S evilflag.rules
In another terminal #1
$ sudo tail -F /usr/local/var/log/suricata/fast.log
In another terminal #2 (replace ip address 192.168.10.230 by what you want)
$ sudo icmp_evil_flag.py 192.168.10.230
In the terminal #1 here you see
10/20/2012-18:39:44.820424 [**] [1:2:0] LUAJIT Evil Flag [**] [Classification: (null)] [Priority: 3] {ICMP} 0.0.0.0:8 -> 192.168.10.230:0