[Oisf-users] UDP reassambly behaviour
Victor Julien
victor at inliniac.net
Wed Jun 20 13:28:57 UTC 2012
On 06/20/2012 10:27 AM, Michel SABORDE wrote:
> Well actually you don't.
> I made a mistake, Snort does not reassamble the datagrams.
> But Bro, if you set up a rule on IP protocol (not UDP) does reassamble.
> I don't have time to investigate why Bro has choosen this behaviour, but
> i'm sure there is a good reason.
> Nevertheless, if Suricata does not receive the datagrams or if it
> receives it in a bad order, my guess is that their are many chances that
> the final destination won't receive it either, or will receive it in a
> bad order too.
>
> I don't know what should be the correct behaviour here but maybe it is
> worth to investigate a little.
> Maybe Suricata can reassamble datagrams from the same quadruplet i
> talked about before based on a timeout that you can configure ?
I fail to see what you would gain here and I do see problems. Do you
have a real world use case?
Cheers,
Victor
>
> Michel
> 2012/6/20 Victor Julien <victor at inliniac.net <mailto:victor at inliniac.net>>
>
> I see. Seems wrong to me though. How do you know 2 datagrams are in
> order? How do you know the data is even meant to be "reassembled"?
>
> On 06/20/2012 09:54 AM, Michel SABORDE wrote:
> > I'll share a pcap later in the day.
> > But to clarify my request, i'm not talking about IP fragments, i'm
> > talking about UDP datagrams not being reassamble.
> > If you receive consecutively 2 UDP datagrams from the same quadruplet
> > (ip dest / ip source / port dest / port source ), you can usually
> > consider them part of the same UDP "session" (even though it's
> weird to
> > talk about "session" with UDP), it is what happen when you put an UDP
> > socket in connected mode.
> >
> > I hope it makes more sense now :)
> >
> > Michel
> > 2012/6/20 Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net> <mailto:victor at inliniac.net
> <mailto:victor at inliniac.net>>>
> >
> > On 06/18/2012 11:14 AM, Michel SABORDE wrote:
> > > Hi everyone,
> > >
> > > I set up an alert on UDP to match content:"bad.html"; as i
> did before
> > > with TCP and i discovered a strange behaviour that may be
> normal ...
> > > I send all my datagrams from the same ip dest/ip source/port
> dest/port
> > > source.
> > > If one datagram contains the payload "bad.html" the alert
> will be
> > > triggered but if you send two datagrams in a row which
> contains "bad."
> > > and "html", no alert will be triggered because i think,
> correct me if
> > > i'm wrong, that Suricata does not reassemble UDP datagrams.
> > > I know that UDP datagrams may not be received, or may be
> received in a
> > > different order but i think that it would be a nice feature
> anyway.
> > > I tried Snort and it does that kind of datagrams reassambly.
> >
> > Our IP defragmentation is done on the IP packet level, so
> irregardless
> > of what protocol is used. Can you share a pcap?
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> > <mailto:Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>>
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list