Actions
Optimization #6611
openFake Tunnels In Fragmented IP Packets
Description
Hi all,
I have been experiencing some weird behavior in Suricata with regards to fragmented IP packets, and tunnels. It seems that when Suricata defrags it sets the 'defrag parent' up as a tunnel, which ends up making Suricata output in the alert that it detected a tunnel. These tunnels however have a depth of 0 and the root src and dst ip are equivalent to the tunnel's src and dst ip.
Is this intended behavior? Am I misunderstanding something? Code surrounding this is here I believe https://github.com/OISF/suricata/blob/master/src/defrag.c#L884
Updated by Philippe Antoine 2 months ago
- Assignee changed from OISF Dev to Jason Ish
@Jason Ish what is the reason for this ?
Updated by Philippe Antoine 21 days ago
- Tracker changed from Bug to Optimization
So, I do not think there is a bug, even if the code may be improved
Actions