[Oisf-users] UDP reassambly behaviour
Michel SABORDE
michel.saborde at gmail.com
Mon Jun 18 09:14:34 UTC 2012
Hi everyone,
I set up an alert on UDP to match content:"bad.html"; as i did before with
TCP and i discovered a strange behaviour that may be normal ...
I send all my datagrams from the same ip dest/ip source/port dest/port
source.
If one datagram contains the payload "bad.html" the alert will be triggered
but if you send two datagrams in a row which contains "bad." and "html", no
alert will be triggered because i think, correct me if i'm wrong, that
Suricata does not reassemble UDP datagrams.
I know that UDP datagrams may not be received, or may be received in a
different order but i think that it would be a nice feature anyway.
I tried Snort and it does that kind of datagrams reassambly.
Michel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120618/6b364a41/attachment-0002.html>
More information about the Oisf-users
mailing list