Project

General

Profile

Actions

Bug #6611

open

Fake Tunnels In Fragmented IP Packets

Added by Fredama Bob about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi all,
I have been experiencing some weird behavior in Suricata with regards to fragmented IP packets, and tunnels. It seems that when Suricata defrags it sets the 'defrag parent' up as a tunnel, which ends up making Suricata output in the alert that it detected a tunnel. These tunnels however have a depth of 0 and the root src and dst ip are equivalent to the tunnel's src and dst ip.
Is this intended behavior? Am I misunderstanding something? Code surrounding this is here I believe https://github.com/OISF/suricata/blob/master/src/defrag.c#L884

No data to display

Actions

Also available in: Atom PDF