Project

General

Profile

Actions
Copy link

Bug #280

closed
SD VJ

Fragmentation issue - Ping of death not properly detected

Bug #280: Fragmentation issue - Ping of death not properly detected

Added by sebastien damaye about 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
1.1beta3
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Following Scapy payload doesn't trigger an alert in Suricata:
send( fragment(IP(dst="192.168.100.35")/ICMP()/("X"*60000)) )
In Snort, it triggers following alert:
[**] [123:8:1] (spp_frag3) Fragmentation overlap [**]
[Priority: 3]
03/19-00:21:07.280484 192.168.100.37 -> 192.168.100.36
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:828
Frag Offset: 0x1CE8 Frag Size: 0x0328

Attached the capture file.
Thx for your support

Files

fragmentation.pcap (121 KB) fragmentation.pcap sebastien damaye, 04/10/2011 05:35 AM

VJ Updated by Victor Julien about 15 years ago Actions
Copy link
 #1

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Priority changed from High to Normal
  • Target version changed from 1.1beta1 to 1.1beta2

The defrag engine currently doesn't set events nor expose them to the signature language. Will be addressed soon.

VJ Updated by Victor Julien about 15 years ago Actions
Copy link
 #2

  • Target version changed from 1.1beta2 to 1.1beta3

VJ Updated by Victor Julien almost 15 years ago Actions
Copy link
 #3

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

The current master supports this. Example rules in the provided rules/decoder-events.rules file.

Actions
Copy link

Also available in: PDF Atom