Security #7458: af-packet: defrag option can lead to truncated packets - Suricata - Open Information Security Foundation

Security #7458

Given a default AF_PACKET IDS configuration, the default @snaplen@ is set to @1524@. However, the @defrag@ option can reassemble fragmented packets up to the maximum packet size. Suricata will then see these alert/log on the truncated packets as truncated, create an alert, but not go any further with the packets. anomaly alerts and/or decoder alerts. 

 A quick test with @--set default-packet-size=5000@ helps with smaller packets, as seen with Wireguard, but can only be increased to just over @32000@ before other parameters need to be adjusted. 

 If the @defrag@ option is used, should we set up @AF_PACKET@ to handle full-size packets by default?

Back

Project

General

Profile

Suricata

Security #7458