[Oisf-users] IPv4 invalid checksum alerts

Peter Manev petermanev at gmail.com
Thu Jun 13 13:38:25 UTC 2013


On Wed, Jun 12, 2013 at 4:55 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Wed, Jun 12, 2013 at 4:37 PM, Steven McIntosh
> <Steven.McIntosh at glasgow.ac.uk> wrote:
>> Hi,
>>
>> We are seeing large amounts of what looks like reassembled fragments triggering the "IPv4 invalid checksum" alert.  It looks like Suricata is validating the IPv4 header checksum for reassembled fragments, but is using the checksum from the first fragment.
>>
>> We are new to Suricata and so this may be a misconfiguration on our part.  I have included information on our setup.  We replicated the issue by using Hping to generate fragmented packets of the kind we were seeing and capturing them via TCPDUMP and the PCAP logging feature of Suricata then comparing the two.  Examples of the results are included below.  We are seeing this when using the AF_PACKET capture run mode, the issue doesn't seem to be present in the PCAP run mode.  All network card offloading has been turned off.  Turning the network card checksum offload on has no effect.
>>
>> Is this a bug or config error ?
>
> Hi,
>
> Would you please be able to share a pcap for this. (privately if you would like)
>
> thanks


Hi Steven,

I could not reproduce the issue with the provided pcap neither on
1.4.2 nor the latest git.

The pcap does not trigger any checksum alerts.

If you would like you can also share privately your yaml - then i
could try with it directly , see if the issue can come up?

thanks




--
Regards,
Peter Manev



More information about the Oisf-users mailing list