[Oisf-devel] Avoid drop of truncated TCP packets
Victor Julien
victor at inliniac.net
Tue Jun 4 13:29:51 UTC 2013
On 06/04/2013 12:23 PM, עמית קליינמן wrote:
> Hello,
> I am reading a PCAP file into Suricata.
> The PCAP file contains TCP packets, that were recorded with a limit on
> their payload length. So each packet that is longer than X bytes was
> truncated.
>
> I am interested in detecting anomalies only in the packet headers (IP,
> TCP, HTTP).
> The headers are not truncated.
>
> Is there an easy way to tell Suricata not to drop the truncated packets,
> so my detect module can analyze them too?
No, they will be rejected by the ipv4 decoder as the length of the
actual packet is less than what is claimed in the ipv4 header. This is
hard coded.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list