Bug #335
closedProblems handling UDP fragments.
Description
There seems to be a problem with the handling of packet fragments in suricata from git.
In my environment large DNSSEC packets get fragmented and the fragments trigger this alert :
[**] [1:1419:9] GPL SNMP trap udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} XX.XX.64.3:0 -> YY.YY.47.8:0
Note the absence of ports in the alert message.
Here is the signature for this alert, which clearly has a port specified :
alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp"; classtype:attempted-recon; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; sid:1419; rev:9;)
This behavior appeared after upgrading from 1.0.3 to GIT.
https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/e13181496c435f5a6b401faf7d40298608d3314c looks like a possible cause.
Updated by Nikolay Denev about 13 years ago
A pcap file with one packet fragment that triggers the rule 100% is privately available.
Updated by Victor Julien about 13 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Priority changed from Normal to High
- Target version set to 1.1beta3
Updated by Victor Julien about 13 years ago
- Status changed from Assigned to Closed
Resolved in the current git master.