Detection of fragmented and reassembled packets

m6201 · July 15, 2024, 9:24am

Hello, I am trying to detect traffic related to fragmented and reassembled packets, and I am using mainly the keywords fragbits and fragoffset, however, I am not being able to promote this detection.

This is an example of rule I am trying to use:

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "Possible Reassembled UDP Fragmented Packets"; fragoffset:>0; threshold: type both, track by_src, count 3, seconds 15; classtype: bad-unknown; sid: 110000141; rev:1;)

I would like to know if there is something wrong with the way I am using these keywords, of if there is a reason why the detection of reassembled and fragmented packets may be difficult to promote in this context.

Thanks in advance.

Additional informations:

Suricata Version: 7.0.5;
OS: Ubuntu 22.04;
Installed Suricata from binary packages.

Andreas_Herz · July 31, 2024, 9:19pm

Could you provide an example pcap and also add the suricata.yaml that you used as well as the run command?

m6201 · August 1, 2024, 1:34pm

I executed the command hping3 -S --data 3000 <ip_addr> to obtain the packets.

example.pcap (40.3 KB)
suricata.yaml (83.5 KB)

Andreas_Herz · August 7, 2024, 8:03pm

I meant the run command for Suricata, so that we know the exact runmode. Ideally also post stats.log and suricata.log.

m6201 · August 17, 2024, 7:39pm

I am using the default runmode of Suricata. I am posting some of the information obtained during the execution of the commands which generated fragmented packets that were not detected.

example-suricata.log (28.2 KB)
example-stats.log (24.6 KB)

Jeff_Lucovsky · August 19, 2024, 12:44pm

@Andreas_Herz is asking for the command line used to launch suricata; is that available?

m6201 · August 19, 2024, 2:44pm

I am not sure if this answers your question, but I generally launch suricata using suricata-update && systemctl start suricata, to ensure suricata is running with the newest rules.

Andreas_Herz · August 30, 2024, 8:25pm

in that case post the output of ps auxfwww | grep suricata so we see how the actual command line is used, the systemctl just starts the service but the passed command line arguments are relevant

m6201 · August 30, 2024, 9:56pm

Here is the output of the indicated command:

mayara      5479  0.0  0.0   9220  2560 pts/2    S+   18:53   0:00          \_ grep --color=auto suricata

root        5475 97.2  9.0 421244 354300 ?       Rs   18:53   0:15 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -vvv

Topic		Replies	Views
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	723	August 10, 2023
Pcap_cnt and fragmented packets Help	1	267	December 12, 2023
How to write Suricata rules to detect UDP_Sweep scan with metasploit? Rules rules , suricata	3	967	January 2, 2023
Detecting a packet after reassembled Help	6	1464	June 15, 2021
Clarification on pcap logging for a single packet Help	3	299	November 18, 2023

Detection of fragmented and reassembled packets

Related topics