Optimization #6611
openFake Tunnels In Fragmented IP Packets
Description
Hi all,
I have been experiencing some weird behavior in Suricata with regards to fragmented IP packets, and tunnels. It seems that when Suricata defrags it sets the 'defrag parent' up as a tunnel, which ends up making Suricata output in the alert that it detected a tunnel. These tunnels however have a depth of 0 and the root src and dst ip are equivalent to the tunnel's src and dst ip.
Is this intended behavior? Am I misunderstanding something? Code surrounding this is here I believe https://github.com/OISF/suricata/blob/master/src/defrag.c#L884
Updated by Philippe Antoine about 1 month ago
- Assignee changed from OISF Dev to Jason Ish
@Jason Ish what is the reason for this ?
Updated by Jason Ish about 1 month ago ยท Edited
Philippe Antoine wrote in #note-1:
@Jason Ish what is the reason for this ?
When developed, I think it was the only way to express this sort of relationship between the reassembled packet, and its source/parent.
Updated by Jason Ish about 1 month ago
- Assignee changed from Jason Ish to OISF Dev
Updated by Philippe Antoine about 3 hours ago
- Tracker changed from Bug to Optimization
So, I do not think there is a bug, even if the code may be improved