Project

General

Profile

Actions

Feature #752

closed

Improve checksum detection algorithm

Added by Eric Leblond over 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Current detection algorithm is using the rate (TCP pkt with valid checksum)/(total nb of packet on interface). We should switch to a full TCP rate with (TCP pkt with valid checksum)/(total nb of TCP packets on interface).

Actions #1

Updated by Victor Julien over 11 years ago

  • Status changed from New to Assigned
  • Assignee set to Eric Leblond
  • Target version set to 1.4.1
Actions #2

Updated by Victor Julien over 11 years ago

  • Target version changed from 1.4.1 to 2.0beta1
Actions #3

Updated by Eric Leblond over 11 years ago

  • Status changed from Assigned to Closed

It is not a real issue if we are using TCP against total number of packets. It should give a correct idea on most systems.

The major point here is that it is not implemented in pcap file leading to a high number of users with detection issue. I propose to implement it for pcap file running mode. I'm thinking about inverting the logic for pcap file to non tag as invalid packet before the packet count is reached. Once reached, we switch mode.

Actions #4

Updated by Victor Julien over 11 years ago

  • Status changed from Closed to Assigned

Reopened on Eric's request.

Actions #5

Updated by Eric Leblond over 11 years ago

  • % Done changed from 0 to 90

pcap-file checksum-checks is implemented by https://github.com/inliniac/suricata/pull/396

Actions #6

Updated by Victor Julien over 11 years ago

  • Target version changed from 2.0beta1 to 2.0beta2
Actions #7

Updated by Eric Leblond almost 11 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF