Project

General

Profile

Actions

Optimization #6611

open

Fake Tunnels In Fragmented IP Packets

Added by Fredama Bob over 1 year ago. Updated about 3 hours ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Hi all,
I have been experiencing some weird behavior in Suricata with regards to fragmented IP packets, and tunnels. It seems that when Suricata defrags it sets the 'defrag parent' up as a tunnel, which ends up making Suricata output in the alert that it detected a tunnel. These tunnels however have a depth of 0 and the root src and dst ip are equivalent to the tunnel's src and dst ip.
Is this intended behavior? Am I misunderstanding something? Code surrounding this is here I believe https://github.com/OISF/suricata/blob/master/src/defrag.c#L884

Actions #1

Updated by Philippe Antoine about 1 month ago

  • Assignee changed from OISF Dev to Jason Ish

@Jason Ish what is the reason for this ?

Actions #2

Updated by Jason Ish about 1 month ago ยท Edited

Philippe Antoine wrote in #note-1:

@Jason Ish what is the reason for this ?

When developed, I think it was the only way to express this sort of relationship between the reassembled packet, and its source/parent.

Actions #3

Updated by Jason Ish about 1 month ago

  • Assignee changed from Jason Ish to OISF Dev
Actions #4

Updated by Philippe Antoine about 3 hours ago

  • Tracker changed from Bug to Optimization

So, I do not think there is a bug, even if the code may be improved

Actions

Also available in: Atom PDF