[Oisf-users] ip defrag issue (#1211)

Victor Julien victor at inliniac.net
Wed Jun 25 17:13:10 UTC 2014

Antonios Atlasis, working with ERNW GmbH, reported a serious IPv6 defrag
issue. This issue has been fixed in Suricata 2.0.2.

The issue was caused by a logic error in the way the defrag timeout
configuration was set up. If no config was found for a specific host,
there would effectively be no timeout. This led to defrag 'trackers'
being cleaned up prematurely. The premature clean up of the tracker lead
to Suricata failing to perform the IP reassembly.

The failed reassembly of these IP packets then leads to missing packets
in TCP stream reassembly, HTTP tracking and detection. Thus, a pretty
serious issue.

Solution: upgrade to 2.0.2

A work around for 2.0 and 2.0.1 is to add the following config to your yaml:

  memcap: 32mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60

    - all:
        timeout: 60
        address: ["", "::/0"]

The top part is the default config in the yaml, the host-config part is
the work around.

Even though it was reported as an IPv6 issue, I believe that IPv4 is
also affected.

Thanks to Antonios Atlasis for reporting this issue.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list