I found too many event on suricata after recent update regarding this rule:
alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; metadata: former_category EXPLOIT; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030388; rev:1; metadata:signature_severity Major, created_at 2020_06_22, performance_impact Significant, updated_at 2020_06_22;)
This is strange because it match with all packets with IPIP protocol (ip_proto:4)!! Also i found another rule from Carnegie Mellon University’s CERT (link):
alert ip any any -> any any (msg:"VU#257161:CVE-2020-11900 IP-in-IP tunnel Double-Free https://kb.cert.org"; ip_proto:4; sid:1370257161; rev:1;)
But same issue is exists here!