IPS Mode & Pseudo Packets
I've been studying the source code and see that the engine often creates and enqueues new pseudo packets in a variety of scenarios:
-While handling IP Fragmentation, it will create a packet with the defragmented contents
-While handling tunnels, it will create a new packet for the packet in the tunnel
-When a flow expires, it will create a pseudo packet to force final stream reassembly
My question is: does Suricata keep the "parent" packet around and drop it if the "child" packet matches a signature? For example, if we receive a packet that completes a fragmented IP packet, Suricata creates a pseudo packet with the entire defragmented packet, which is then run through the rest of the pipeline. If this new packet matches a signature, will the original packet that contained the last fragment also be dropped? Similarly, will Suricata drop the tunnel packet if the packet inside of it matches a signature? (I assume this wouldn't happen in the flow timeout case.) This would require keeping the parent packets around in memory, and I can't tell if that is happening or not from looking at the source.