Feature #8139: defrag: alert on / reject >=3 layer overlaps - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #8139

open

defrag: alert on / reject >=3 layer overlaps

Added by Victor Julien about 8 hours ago. Updated about 8 hours ago.

Status:

Assigned

Priority:

Normal

Assignee:

Jason Ish

Target version:

9.0.0-beta1

Effort:

Difficulty:

Label:

Description

At Suricon 2025 Lucas Aubard and Johan Mazel presented their research on defrag overlap handling. They found that there are significant issues with >=3 layers of overlap. Their recommendation was to simply alert on that condition.

In IPS/fw modes this should come with a exception policy that defaults to drop.

Details on their research and tooling can be found at https://github.com/ANSSI-FR/pyrolyse

History
Property changes

Actions

Copy link

Updated by Victor Julien about 8 hours ago

Subject changed from defrag: alert on / reject 3+ layer overlaps to defrag: alert on / reject >=3 layer overlaps

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #8139

defrag: alert on / reject >=3 layer overlaps

Updated by Victor Julien about 8 hours ago