https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022011-08-23T10:07:44ZOpen Information Security FoundationSuricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=12092011-08-23T10:07:44ZVictor Julienvictor@inliniac.net
<ul></ul><p>I don't think it's a good idea to disable by default. It would leave some reassembly attack options open that it's meant to prevent. Somehow detecting csum offloading in place is probably hard to do cross-platform... any other ideas?</p> Suricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=12152011-08-30T07:07:48ZPierre Chifflierchifflier@wzdftpd.net
<ul></ul><p>What is really a problem here is to have tons of packets that disappear without being analyzed, and without any warning or any way to find the problem.</p>
<p>What is worse is also that this gives different behavior depending on the data source (pcap vs nfqueue).</p>
<p>And the option name is not easy the guess, looking at the symptom ..</p>
<p>So I'd say adding a warning if lots of packets are dropped due to incorrect checksum is a must-have (if not a solution, it would at least be a clue to find the cause of the problem).</p> Suricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=12182011-08-31T02:38:09ZVictor Julienvictor@inliniac.net
<ul></ul><p>If we're sure certain link types (like loopback) don't need checking we can probably bypass the checks for those links. Each packet has a datalink field (p->datalink) so that could help.</p>
<p>A counter of rejected packets because of csum would certainly be welcome.</p>
<p>In addition, a check that gives a one time warning, possibly with a link to a wiki page explaining the issue, after receiving e.g. 100 or 1000 packets with an invalid csum would help.</p>
<p>You interested in doing patches for these Pierre?</p> Suricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=12712011-10-19T07:23:09ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Eric Leblond</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li><li><strong>Target version</strong> set to <i>1.2</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>30</i></li></ul><p>Just created the counter for invalid csum tcp packets. Will be part of 1.1beta3.</p> Suricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=12722011-10-19T07:23:43ZVictor Julienvictor@inliniac.net
<ul></ul><p>Eric, can you come up with an idea/design for handling the per acquisition method oddities?</p> Suricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=14492011-12-20T06:42:44ZEric Leblonderic@regit.org
<ul></ul><p>I've just done a study of the problem. Idea was to check if the different capture API provide way to detect that a packet is emitted and/or has an incomplete checksum.</p>
If we consider the different modules:
<ul>
<li>PF_RING: pfring_extended_pkthdr has a rx_direction which can be used to detect emitted packets</li>
<li>AF_PACKET: packet has auxiliary data containing information about checksum completeness.</li>
<li>pcap: Nothing is available here</li>
</ul>
<p>PF_RING and AF_PACKET can be treated easily in an efficient way.</p>
<p>For pcap we need to find some alternative using for exemple hardware address.</p> Suricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=14502011-12-20T06:48:30ZEric Leblonderic@regit.org
<ul></ul><p>A solution for pcap could be to used pcap_setdirection. This function provide a way to only accept RX packet or TX packet. By limiting to RX packet, the IDS will only capture the network traffic and that could be the wanted result.<br />One problem with this approach is that pcap_setdirection is said not to be implemented for all OS.</p> Suricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=14512011-12-21T04:35:46ZVictor Julienvictor@inliniac.net
<ul></ul><p>I don't think the pcap_setdirection usage would solve the problem though. We'd go from "can't track sessions because of broken tx csums" to "can't track sessions because of missing tx packets".</p> Suricata - Bug #311: Confusing option checksum_validationhttps://redmine.openinfosecfoundation.org/issues/311?journal_id=15062012-01-05T10:26:05ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>Target version</strong> changed from <i>1.2</i> to <i>1.2rc1</i></li><li><strong>% Done</strong> changed from <i>30</i> to <i>100</i></li></ul><p>Eric's patchset applied, thanks!</p>