Project

General

Profile

Actions
Copy link

Bug #280

closed

Fragmentation issue - Ping of death not properly detected

Added by sebastien damaye over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
1.1beta3
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Following Scapy payload doesn't trigger an alert in Suricata:
send( fragment(IP(dst="192.168.100.35")/ICMP()/("X"*60000)) )
In Snort, it triggers following alert:
[**] [123:8:1] (spp_frag3) Fragmentation overlap [**]
[Priority: 3]
03/19-00:21:07.280484 192.168.100.37 -> 192.168.100.36
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:828
Frag Offset: 0x1CE8 Frag Size: 0x0328

Attached the capture file.
Thx for your support

Files

fragmentation.pcap (121 KB) fragmentation.pcap sebastien damaye, 04/10/2011 05:35 AM
Actions
Copy link
 #1

Updated by Victor Julien over 13 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Priority changed from High to Normal
  • Target version changed from 1.1beta1 to 1.1beta2

The defrag engine currently doesn't set events nor expose them to the signature language. Will be addressed soon.

Actions
Copy link
 #2

Updated by Victor Julien over 13 years ago

  • Target version changed from 1.1beta2 to 1.1beta3
Actions
Copy link
 #3

Updated by Victor Julien over 13 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

The current master supports this. Example rules in the provided rules/decoder-events.rules file.

Actions
Copy link

Also available in: Atom PDF