Security #7458
closedaf-packet: defrag option can lead to truncated packets
Description
Given a default AF_PACKET IDS configuration, the default snaplen is set to 1524. However, the defrag option can reassemble fragmented packets up to the maximum packet size. Suricata will then see these packets as truncated, create an alert, but not go any further with the packets.
A quick test with --set default-packet-size=5000 helps with smaller packets, as seen with Wireguard, but can only be increased to just over 32000 before other parameters need to be adjusted.
If the defrag option is used, should we set up AF_PACKET to handle full-size packets by default?
Updated by Jason Ish 7 months ago
Current work-around with code changes for IDS mode only:
# 65535 + 14
default-packet-size: 65549
af-packet
- interface: enp10s0
defrag: true
# Required for custom block-size, but not recommended for IPS.
tpacket-v3: true
# Large enough 32 packets of default-packet-size.
block-size: 2097152
For t-packet v2, as well as IPS mode I guess the best thing is to disable defrag. However, turning off defrag is necessary for IPS setups.
Questions:
- What is the impact of increasing this block size?
- What is the impact of increasing the default packet size?
- Can we/should we modify the code to fix this for tpacket-v2 (which is the default)?
Should we look at better defaults? If IDS, default to tpacket-v3 with large packet size? If IPS, force off defrag?
I think it would be rather trivial to stuff something like DNS requests with extra data such that Suricata IDS defaults would always see the packets as truncated. Or perform some UDP tunneling in large packets that are always fragmented and seen as truncated by Suricata, using the defaults.
Updated by Jason Ish 5 months ago
- Related to Optimization #4798: af-packet: default to tpacket-v3 in IDS mode added
Updated by Juliana Fajardini Reichow 4 months ago
- CVE set to 2025-29915
Security Advisory: https://github.com/OISF/suricata/security/advisories/GHSA-7m5c-cqx4-x8mp
Updated by Jason Ish 4 months ago
- Status changed from In Review to Resolved
While its still possible that truncated packets can be seen in 7.0.9, the alert is there, and the configuration options are there to mitigate the issue.
In summary, the following changes were made to the development branch and backported to 7.0.9:
- increase default block size from 32k to 128k. This allows a fully defragmented packet to fit.
- For tpacket-v2, increase the default snaplen from 1514 to 9k. In normal usage its probably unlikely to see 65k packets, and keeping the snaplen down decreases the memory usage. Its not uncommon to see packets a little over the MTU with VPNs and such. So this should cover those.
- Expose a tpacket-v2 block size parameter to the config so users can lower if necessary
- Add a warning to recommend tpacket-v3 if in passive IDS mode
- Add a warning to disable defrag if in IPS mode