Hello, I am trying to detect traffic related to fragmented and reassembled packets, and I am using mainly the keywords fragbits and fragoffset, however, I am not being able to promote this detection.
This is an example of rule I am trying to use:
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "Possible Reassembled UDP Fragmented Packets"; fragoffset:>0; threshold: type both, track by_src, count 3, seconds 15; classtype: bad-unknown; sid: 110000141; rev:1;)
I would like to know if there is something wrong with the way I am using these keywords, of if there is a reason why the detection of reassembled and fragmented packets may be difficult to promote in this context.
I am using the default runmode of Suricata. I am posting some of the information obtained during the execution of the commands which generated fragmented packets that were not detected.
I am not sure if this answers your question, but I generally launch suricata using suricata-update && systemctl start suricata, to ensure suricata is running with the newest rules.
in that case post the output of ps auxfwww | grep suricata so we see how the actual command line is used, the systemctl just starts the service but the passed command line arguments are relevant