[Oisf-users] UDP reassambly behaviour
Victor Julien
victor at inliniac.net
Wed Jun 20 06:41:57 UTC 2012
On 06/18/2012 11:14 AM, Michel SABORDE wrote:
> Hi everyone,
>
> I set up an alert on UDP to match content:"bad.html"; as i did before
> with TCP and i discovered a strange behaviour that may be normal ...
> I send all my datagrams from the same ip dest/ip source/port dest/port
> source.
> If one datagram contains the payload "bad.html" the alert will be
> triggered but if you send two datagrams in a row which contains "bad."
> and "html", no alert will be triggered because i think, correct me if
> i'm wrong, that Suricata does not reassemble UDP datagrams.
> I know that UDP datagrams may not be received, or may be received in a
> different order but i think that it would be a nice feature anyway.
> I tried Snort and it does that kind of datagrams reassambly.
Our IP defragmentation is done on the IP packet level, so irregardless
of what protocol is used. Can you share a pcap?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list