[Oisf-devel] Avoid drop of truncated TCP packets

Kenneth Steele ken at tilera.com
Tue Jun 4 13:34:51 UTC 2013


You could edit the pcap file reading code in Suricata to expand the packet to the expected length.

Regards,
-Ken

-----Original Message-----
From: oisf-devel-bounces at openinfosecfoundation.org [mailto:oisf-devel-bounces at openinfosecfoundation.org] On Behalf Of Victor Julien
Sent: Tuesday, June 04, 2013 9:30 AM
To: oisf-devel at openinfosecfoundation.org
Subject: Re: [Oisf-devel] Avoid drop of truncated TCP packets

On 06/04/2013 12:23 PM, עמית קליינמן wrote:
> Hello,
> I am reading a PCAP file into Suricata.
> The PCAP file contains TCP packets, that were recorded with a limit on 
> their payload length. So each packet that is longer than X bytes was 
> truncated.
> 
> I am interested in detecting anomalies only in the packet headers (IP, 
> TCP, HTTP).
> The headers are not truncated.
> 
> Is there an easy way to tell Suricata not to drop the truncated 
> packets, so my detect module can analyze them too?

No, they will be rejected by the ipv4 decoder as the length of the actual packet is less than what is claimed in the ipv4 header. This is hard coded.

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
Redmine: https://redmine.openinfosecfoundation.org/


More information about the Oisf-devel mailing list