Support #3259: IPv4 fragmentation - Suricata - Open Information Security Foundation

Actions

Copy link

Support #3259

closed

IPv4 fragmentation

Added by Surio Tuno over 4 years ago. Updated over 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Community Ticket

Affected Versions:

4.1.4

Label:

Description

Hello,
I am working on suricata, and I do several test cases with IP fragment replay.

I sent a flow [Frag1, Frag2, ..., Fragn, Frag11, Frag12, ..., Frag1m]: Fragn is last packet and Frag11, ... , Frag1m is repeat from Frag1,... Frag(n-1) with modify source port information (5577)

I saw the first time suricata can detect my source port (for example 5566), and I re-send it, I got my source port is 5577.

when I stop suricata and re-send it, I got my source port still 5577.

So my question is: Where does suricata keeps fragment packet? (is it not from memory?)

Thank you!

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Support #3259

IPv4 fragmentation

Updated by Victor Julien over 4 years ago

Updated by Andreas Herz over 4 years ago

Updated by Andreas Herz over 3 years ago