Feature #417
closedip fragmentation time out feature in yaml
Description
Hi,
I think that it would be beneficial if Suricata can have the ip frag time out values as an option in the yaml. Through my analysis it (frag timeout) seems to be different for the different OSs . It does not matter if the system is 32 or 64 bit, but it does matter if it handles IPv4 or IPv6 addresses –ex:
(most of those values you can find under /proc/sys/net/ipv4/ipfrag_time on most of the systems – the amount of time a fragment will be kept in memory, after that it will be discarded.)
All values in seconds
IPv4:
Suse - 20
CentOS- 30
Ubuntu- 30
Debian - 30
Solaris – there seems to be a frag packet limit, not time based – 800 fragments max
FreeBSD – there seems to be a frag packet limit, not time based – 800 fragments max
NetBSD – is different, it seems to have maxqueue limits instead of time
Fedora -30
Windows (all) – hardcoded, can not be changed – 60
IPv6:
Suse - 60
CentOS - 60
Ubuntu - 60
Debian - 60
Solaris there seems to be a frag packet limit, not time based – 6400 fragments max
FreeBSD - there seems to be a frag packet limit, not time based – 6400 fragments max
NetBSD – for IPv6 it has max 200 fragments limit.
Fedora - 60
Windows (all) – hardcoded, can not be changed – 60
may be an option in yaml?
There are other ip fragmentation values that differ for the different OSs as well.
Updated by Victor Julien over 12 years ago
- Assignee set to Anonymous
- Target version set to TBD
Updated by Victor Julien about 11 years ago
- Status changed from New to Closed
- Assignee changed from Anonymous to Giuseppe Longo
- Target version changed from TBD to 2.0beta2
- % Done changed from 0 to 100
Updated by Peter Manev about 11 years ago
- Status changed from Closed to New
- % Done changed from 100 to 90
The configuration part described here :
https://github.com/inliniac/suricata/pull/654/files
is not yet included in suricata.yaml
Updated by Peter Manev about 11 years ago
- Status changed from New to Closed
- % Done changed from 90 to 100
has been added into master.
Thanks Giuseppe