Project

General

Profile

Actions

Bug #280

closed

Fragmentation issue - Ping of death not properly detected

Added by sebastien damaye over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
Following Scapy payload doesn't trigger an alert in Suricata:
send( fragment(IP(dst="192.168.100.35")/ICMP()/("X"*60000)) )
In Snort, it triggers following alert:
[**] [123:8:1] (spp_frag3) Fragmentation overlap [**]
[Priority: 3]
03/19-00:21:07.280484 192.168.100.37 -> 192.168.100.36
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:828
Frag Offset: 0x1CE8 Frag Size: 0x0328

Attached the capture file.
Thx for your support


Files

fragmentation.pcap (121 KB) fragmentation.pcap sebastien damaye, 04/10/2011 05:35 AM
Actions

Also available in: Atom PDF