[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: [Oisf-users] ip defrag issue (#1211)
From: Victor Julien <victor () inliniac ! net>
Date: 2014-06-25 17:13:10
Message-ID: 53AB0326.1050903 () inliniac ! net
[Download RAW message or body]
Antonios Atlasis, working with ERNW GmbH, reported a serious IPv6 defrag
issue. This issue has been fixed in Suricata 2.0.2.
The issue was caused by a logic error in the way the defrag timeout
configuration was set up. If no config was found for a specific host,
there would effectively be no timeout. This led to defrag 'trackers'
being cleaned up prematurely. The premature clean up of the tracker lead
to Suricata failing to perform the IP reassembly.
The failed reassembly of these IP packets then leads to missing packets
in TCP stream reassembly, HTTP tracking and detection. Thus, a pretty
serious issue.
Solution: upgrade to 2.0.2
A work around for 2.0 and 2.0.1 is to add the following config to your yaml:
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
host-config:
- all:
timeout: 60
address: ["0.0.0.0/0", "::/0"]
The top part is the default config in the yaml, the host-config part is
the work around.
Even though it was reported as an IPv6 issue, I believe that IPv4 is
also affected.
Thanks to Antonios Atlasis for reporting this issue.
https://redmine.openinfosecfoundation.org/issues/1211
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic