Project

General

Profile

Actions

Bug #6611

open

Fake Tunnels In Fragmented IP Packets

Added by Fredama Bob over 1 year ago. Updated 21 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi all,
I have been experiencing some weird behavior in Suricata with regards to fragmented IP packets, and tunnels. It seems that when Suricata defrags it sets the 'defrag parent' up as a tunnel, which ends up making Suricata output in the alert that it detected a tunnel. These tunnels however have a depth of 0 and the root src and dst ip are equivalent to the tunnel's src and dst ip.
Is this intended behavior? Am I misunderstanding something? Code surrounding this is here I believe https://github.com/OISF/suricata/blob/master/src/defrag.c#L884

Actions #1

Updated by Philippe Antoine 21 days ago

  • Assignee changed from OISF Dev to Jason Ish

@Jason Ish what is the reason for this ?

Actions #2

Updated by Jason Ish 21 days ago ยท Edited

Philippe Antoine wrote in #note-1:

@Jason Ish what is the reason for this ?

When developed, I think it was the only way to express this sort of relationship between the reassembled packet, and its source/parent.

Actions #3

Updated by Jason Ish 21 days ago

  • Assignee changed from Jason Ish to OISF Dev
Actions

Also available in: Atom PDF