Bug #335
closedProblems handling UDP fragments.
Description
There seems to be a problem with the handling of packet fragments in suricata from git.
In my environment large DNSSEC packets get fragmented and the fragments trigger this alert :
[**] [1:1419:9] GPL SNMP trap udp [**] [Classification: Attempted Information Leak] [Priority: 2] {UDP} XX.XX.64.3:0 -> YY.YY.47.8:0
Note the absence of ports in the alert message.
Here is the signature for this alert, which clearly has a port specified :
alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp"; classtype:attempted-recon; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; sid:1419; rev:9;)
This behavior appeared after upgrading from 1.0.3 to GIT.
https://redmine.openinfosecfoundation.org/projects/suricata/repository/revisions/e13181496c435f5a6b401faf7d40298608d3314c looks like a possible cause.