Project

General

Profile

Actions
Copy link

Bug #819

closed

af-packet ips mode rule processing bug

Added by Laszlo Madarassy almost 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Eric Leblond
Target version:
2.0beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I'm using suricata in IPS mode between eth1 and eth2, I write a test rule to drop all udp, tcp and icmp traffic, but some TCP traffic (HTTP request, fragmented TCP packets, second fragments). I have MTU size 1514 in both interfaces, but the captured packets have size 1518!
Example:

eth1 capture:
1.116317 216.137.61.113 -> 192.168.27.5 TCP 66 http > 46366 [ACK] Seq=1 Ack=337 Win=6912 Len=0 TSval=2843579621 TSecr=516163152
1.116325 216.137.61.113 -> 192.168.27.5 TCP 1514 [TCP segment of a reassembled PDU]
1.140508 216.137.61.113 -> 192.168.27.5 TCP 1514 [TCP segment of a reassembled PDU]
1.159567 216.137.61.113 -> 192.168.27.5 TCP 2962 [TCP segment of a reassembled PDU]
1.171307 216.137.61.113 -> 192.168.27.5 HTTP 1353 HTTP/1.0 200 OK (application/javascript)
1.500951 195.56.65.78 -> 192.168.27.5 TCP 74 http > 43649 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 SACK_PERM=1 TSval=856202389 TSecr=516179290 WS=512
1.500958 195.56.65.77 -> 192.168.27.5 TCP 1514 [TCP segment of a reassembled PDU]

eth2 capture:
0.000000 216.137.61.113 -> 192.168.27.5 HTTP 1518 Continuation or non-HTTP traffic
0.623416 195.56.65.78 -> 192.168.27.5 TCP 1518 [TCP segment of a reassembled PDU]
0.694906 195.56.65.78 -> 192.168.27.5 TCP 1518 [TCP segment of a reassembled PDU]
0.924848 195.56.65.78 -> 192.168.27.5 TCP 1518 [TCP segment of a reassembled PDU]
0.963212 195.56.65.78 -> 192.168.27.5 TCP 1518 [TCP segment of a reassembled PDU]

Suricata config:

%YAML 1.1
---

outputs:

af-packet:
- interface: eth1
threads: 1
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
checksum-checks: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth2
- interface: eth2
threads: 1
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
checksum-checks: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth1

default-rule-path: /etc/suricata/rules
rule-files:
- mini.rule

action-order:
- pass
- drop
- reject
- alert

mini.rule file:
drop tcp any any -> any any (msg:"drop tcp";sid:1;)
drop udp any any -> any any (msg:"drop udp";sid:2;)
drop icmp any any -> any any (msg:"drop icmp";sid:3;)

Suricata version: 1.4.1 (debian sid version)
kernel: 3.8

Files

Download all files
eth1.log (378 KB) eth1.log Laszlo Madarassy, 06/06/2013 07:03 AM
eth2.log (12.2 KB) eth2.log Laszlo Madarassy, 06/06/2013 07:03 AM

Subtasks 1 (0 open1 closed)

Bug #826: af-packet ips mode rule processing bug (1.4.x)ClosedEric Leblond06/17/2013Actions
Actions
Copy link

Also available in: Atom PDF