Optimization #6611: Fake Tunnels In Fragmented IP Packets - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #6611

open

FB OD

Fake Tunnels In Fragmented IP Packets

Optimization #6611: Fake Tunnels In Fragmented IP Packets

Added by Fredama Bob over 2 years ago. Updated 7 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Hi all,
I have been experiencing some weird behavior in Suricata with regards to fragmented IP packets, and tunnels. It seems that when Suricata defrags it sets the 'defrag parent' up as a tunnel, which ends up making Suricata output in the alert that it detected a tunnel. These tunnels however have a depth of 0 and the root src and dst ip are equivalent to the tunnel's src and dst ip.
Is this intended behavior? Am I misunderstanding something? Code surrounding this is here I believe https://github.com/OISF/suricata/blob/master/src/defrag.c#L884

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#1

Assignee changed from OISF Dev to Jason Ish

@Jason Ish what is the reason for this ?

JI Updated by Jason Ish 9 months ago · Edited Actions
Copy link
#2

Philippe Antoine wrote in #note-1:

@Jason Ish what is the reason for this ?

When developed, I think it was the only way to express this sort of relationship between the reassembled packet, and its source/parent.

JI Updated by Jason Ish 9 months ago Actions
Copy link
#3

Assignee changed from Jason Ish to OISF Dev

PA Updated by Philippe Antoine 7 months ago Actions
Copy link
#4

Tracker changed from Bug to Optimization

So, I do not think there is a bug, even if the code may be improved

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries