Feature #752
closedImprove checksum detection algorithm
Description
Current detection algorithm is using the rate (TCP pkt with valid checksum)/(total nb of packet on interface). We should switch to a full TCP rate with (TCP pkt with valid checksum)/(total nb of TCP packets on interface).
Updated by Victor Julien over 11 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Target version set to 1.4.1
Updated by Victor Julien over 11 years ago
- Target version changed from 1.4.1 to 2.0beta1
Updated by Eric Leblond over 11 years ago
- Status changed from Assigned to Closed
It is not a real issue if we are using TCP against total number of packets. It should give a correct idea on most systems.
The major point here is that it is not implemented in pcap file leading to a high number of users with detection issue. I propose to implement it for pcap file running mode. I'm thinking about inverting the logic for pcap file to non tag as invalid packet before the packet count is reached. Once reached, we switch mode.
Updated by Victor Julien over 11 years ago
- Status changed from Closed to Assigned
Reopened on Eric's request.
Updated by Eric Leblond over 11 years ago
- % Done changed from 0 to 90
pcap-file checksum-checks is implemented by https://github.com/inliniac/suricata/pull/396
Updated by Victor Julien over 11 years ago
- Target version changed from 2.0beta1 to 2.0beta2
Updated by Eric Leblond almost 11 years ago
- Status changed from Assigned to Closed
Implemented in https://github.com/inliniac/suricata/pull/671