[Oisf-users] UDP reassambly behaviour
Michel SABORDE
michel.saborde at gmail.com
Wed Jun 20 08:27:04 UTC 2012
Well actually you don't.
I made a mistake, Snort does not reassamble the datagrams.
But Bro, if you set up a rule on IP protocol (not UDP) does reassamble.
I don't have time to investigate why Bro has choosen this behaviour, but
i'm sure there is a good reason.
Nevertheless, if Suricata does not receive the datagrams or if it receives
it in a bad order, my guess is that their are many chances that the final
destination won't receive it either, or will receive it in a bad order too.
I don't know what should be the correct behaviour here but maybe it is
worth to investigate a little.
Maybe Suricata can reassamble datagrams from the same quadruplet i talked
about before based on a timeout that you can configure ?
Michel
2012/6/20 Victor Julien <victor at inliniac.net>
> I see. Seems wrong to me though. How do you know 2 datagrams are in
> order? How do you know the data is even meant to be "reassembled"?
>
> On 06/20/2012 09:54 AM, Michel SABORDE wrote:
> > I'll share a pcap later in the day.
> > But to clarify my request, i'm not talking about IP fragments, i'm
> > talking about UDP datagrams not being reassamble.
> > If you receive consecutively 2 UDP datagrams from the same quadruplet
> > (ip dest / ip source / port dest / port source ), you can usually
> > consider them part of the same UDP "session" (even though it's weird to
> > talk about "session" with UDP), it is what happen when you put an UDP
> > socket in connected mode.
> >
> > I hope it makes more sense now :)
> >
> > Michel
> > 2012/6/20 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net
> >>
> >
> > On 06/18/2012 11:14 AM, Michel SABORDE wrote:
> > > Hi everyone,
> > >
> > > I set up an alert on UDP to match content:"bad.html"; as i did
> before
> > > with TCP and i discovered a strange behaviour that may be normal
> ...
> > > I send all my datagrams from the same ip dest/ip source/port
> dest/port
> > > source.
> > > If one datagram contains the payload "bad.html" the alert will be
> > > triggered but if you send two datagrams in a row which contains
> "bad."
> > > and "html", no alert will be triggered because i think, correct
> me if
> > > i'm wrong, that Suricata does not reassemble UDP datagrams.
> > > I know that UDP datagrams may not be received, or may be received
> in a
> > > different order but i think that it would be a nice feature anyway.
> > > I tried Snort and it does that kind of datagrams reassambly.
> >
> > Our IP defragmentation is done on the IP packet level, so
> irregardless
> > of what protocol is used. Can you share a pcap?
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > <mailto:Oisf-users at openinfosecfoundation.org>
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120620/3bf3dd7c/attachment-0002.html>
More information about the Oisf-users
mailing list