Project

General

Profile

Actions
Copy link

Optimization #6611

open

Fake Tunnels In Fragmented IP Packets

Added by Fredama Bob almost 2 years ago. Updated 21 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Hi all,
I have been experiencing some weird behavior in Suricata with regards to fragmented IP packets, and tunnels. It seems that when Suricata defrags it sets the 'defrag parent' up as a tunnel, which ends up making Suricata output in the alert that it detected a tunnel. These tunnels however have a depth of 0 and the root src and dst ip are equivalent to the tunnel's src and dst ip.
Is this intended behavior? Am I misunderstanding something? Code surrounding this is here I believe https://github.com/OISF/suricata/blob/master/src/defrag.c#L884

Actions
Copy link
 #1

Updated by Philippe Antoine 2 months ago

  • Assignee changed from OISF Dev to Jason Ish

@Jason Ish what is the reason for this ?

Actions
Copy link
 #2

Updated by Jason Ish 2 months ago ยท Edited

Philippe Antoine wrote in #note-1:

@Jason Ish what is the reason for this ?

When developed, I think it was the only way to express this sort of relationship between the reassembled packet, and its source/parent.

Actions
Copy link
 #3

Updated by Jason Ish 2 months ago

  • Assignee changed from Jason Ish to OISF Dev
Actions
Copy link
 #4

Updated by Philippe Antoine 21 days ago

  • Tracker changed from Bug to Optimization

So, I do not think there is a bug, even if the code may be improved

Actions
Copy link

Also available in: Atom PDF