[Oisf-users] IPv4 invalid checksum alerts
petermanev at gmail.com
Wed Jun 12 14:55:11 UTC 2013
On Wed, Jun 12, 2013 at 4:37 PM, Steven McIntosh
<Steven.McIntosh at glasgow.ac.uk> wrote:
> We are seeing large amounts of what looks like reassembled fragments triggering the "IPv4 invalid checksum" alert. It looks like Suricata is validating the IPv4 header checksum for reassembled fragments, but is using the checksum from the first fragment.
> We are new to Suricata and so this may be a misconfiguration on our part. I have included information on our setup. We replicated the issue by using Hping to generate fragmented packets of the kind we were seeing and capturing them via TCPDUMP and the PCAP logging feature of Suricata then comparing the two. Examples of the results are included below. We are seeing this when using the AF_PACKET capture run mode, the issue doesn't seem to be present in the PCAP run mode. All network card offloading has been turned off. Turning the network card checksum offload on has no effect.
> Is this a bug or config error ?
Would you please be able to share a pcap for this. (privately if you would like)
More information about the Oisf-users