Project

General

Profile

Actions

Bug #335

closed

Problems handling UDP fragments.

Added by Nikolay Denev about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

There seems to be a problem with the handling of packet fragments in suricata from git.

In my environment large DNSSEC packets get fragmented and the fragments trigger this alert :

[**] [1:1419:9] GPL SNMP trap udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} XX.XX.64.3:0 -> YY.YY.47.8:0

Note the absence of ports in the alert message.

Here is the signature for this alert, which clearly has a port specified :

alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp"; classtype:attempted-recon; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; sid:1419; rev:9;)

This behavior appeared after upgrading from 1.0.3 to GIT.

https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/e13181496c435f5a6b401faf7d40298608d3314c looks like a possible cause.

Actions #1

Updated by Nikolay Denev about 10 years ago

A pcap file with one packet fragment that triggers the rule 100% is privately available.

Actions #2

Updated by Victor Julien about 10 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Priority changed from Normal to High
  • Target version set to 1.1beta3
Actions #3

Updated by Victor Julien about 10 years ago

  • Status changed from Assigned to Closed

Resolved in the current git master.

Actions

Also available in: Atom PDF