Project

General

Profile

Actions
Copy link

Support #3259

closed

IPv4 fragmentation

Added by Surio Tuno over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Affected Versions:
4.1.4
Label:

Description

Hello,
I am working on suricata, and I do several test cases with IP fragment replay.

I sent a flow [Frag1, Frag2, ..., Fragn, Frag11, Frag12, ..., Frag1m]: Fragn is last packet and Frag11, ... , Frag1m is repeat from Frag1,... Frag(n-1) with modify source port information (5577)

I saw the first time suricata can detect my source port (for example 5566), and I re-send it, I got my source port is 5577.

when I stop suricata and re-send it, I got my source port still 5577.

So my question is: Where does suricata keeps fragment packet? (is it not from memory?)

Thank you!

Actions
Copy link
 #1

Updated by Victor Julien over 4 years ago

  • Tracker changed from Bug to Support
  • Priority changed from Immediate to Normal
  • Effort deleted (high)
  • Difficulty deleted (high)
Actions
Copy link
 #2

Updated by Andreas Herz over 4 years ago

  • Status changed from New to Feedback
  • Assignee set to Community Ticket
  • Target version set to Support

Do you have a pcap you can share for that testcase?

Actions
Copy link
 #3

Updated by Andreas Herz over 3 years ago

  • Status changed from Feedback to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions
Copy link

Also available in: Atom PDF