8.36. SCTP Keywords

Suricata supports sticky buffers and keywords for matching on SCTP packet headers, chunks, and metadata.

Sticky buffers are expected to be followed by one or more Payload Keywords.

8.36.1. sctp.hdr

Sticky buffer to match on the raw SCTP header and all chunks.

Example rule:

alert sctp any any -> any any (msg:"SCTP header match"; sctp.hdr; content:"|01|"; offset:8; depth:1; sid:1; rev:1;)

sctp.hdr is a 'sticky buffer'.

sctp.hdr can be used as fast_pattern.

8.36.2. sctp.chunk_data

Sticky buffer to match on any SCTP DATA chunk user payload.

When a packet contains DATA chunks, the packet payload (p->payload) is set to the user data of the first DATA chunk. A bare content match (without a sticky buffer) therefore inspects the first DATA chunk's payload. Use sctp.chunk_data to inspect all DATA chunks independently.

Example rule:

alert sctp any any -> any any (msg:"SCTP DATA payload match"; sctp.chunk_data; content:"test"; sid:2; rev:1;)

sctp.chunk_data is a 'sticky buffer'.

sctp.chunk_data can be used as fast_pattern.

8.36.3. sctp.vtag

Match on the SCTP verification tag field in the common header.

sctp.vtag uses an unsigned 32-bit integer.

Syntax:

sctp.vtag:[op]<number>

The verification tag can be matched exactly, or compared using the _op_ setting:

sctp.vtag:12345         # exactly 12345
sctp.vtag:>0            # greater than 0
sctp.vtag:100-200       # range 100 to 200

Example rule:

alert sctp any any -> any any (msg:"SCTP vtag match"; sctp.vtag:0; sid:3; rev:1;)

8.36.4. sctp.chunk_type

Match on the type of any SCTP chunk in the packet.

sctp.chunk_type uses an unsigned 8-bit integer.

Syntax:

sctp.chunk_type:[!]<value>
sctp.chunk_type:[op]<number>

Values can be specified by name or by numeric value. The following named chunk types are supported:

Name

Value

data

0

init

1

init_ack

2

sack

3

heartbeat

4

hb_ack

5

abort

6

shutdown

7

shutdown_ack

8

error

9

cookie_echo

10

cookie_ack

11

ecne

12

cwr

13

shutdown_complete

14

forward_tsn

192

Named values are case-insensitive and can be negated with !:

sctp.chunk_type:init          # INIT chunk
sctp.chunk_type:init_ack      # INIT ACK chunk
sctp.chunk_type:!data         # any chunk that is not DATA

Numeric values support comparison operators and ranges:

sctp.chunk_type:1             # INIT chunk (type 1)
sctp.chunk_type:0-4           # range 0 to 4

Example rules:

alert sctp any any -> any any (msg:"SCTP INIT chunk detected"; sctp.chunk_type:init; sid:4; rev:1;)

alert sctp any any -> any any (msg:"SCTP INIT chunk detected"; sctp.chunk_type:1; sid:5; rev:1;)

8.36.5. sctp.chunk_cnt

Match on the number of SCTP chunks in the packet.

sctp.chunk_cnt uses an unsigned 8-bit integer.

Syntax:

sctp.chunk_cnt:[op]<number>

The chunk count can be matched exactly, or compared using the _op_ setting:

sctp.chunk_cnt:1        # exactly 1 chunk
sctp.chunk_cnt:>3       # more than 3 chunks
sctp.chunk_cnt:2-5      # range 2 to 5

Example rule:

alert sctp any any -> any any (msg:"SCTP packet with multiple chunks"; sctp.chunk_cnt:>1; sid:5; rev:1;)