How does Suricata handle data that has been fragmented?

Hello there,

can anybody clarify something for me:
When somebody fragments some malicious files in hundreds or thousands fragments and sends them to a network protected by Suricata (assuming the flow is the same, i.e., the quintuple (Dst Port, Src Port, Dst Ip, Src IP, protocol) is the same) - How is Suricata able to defragment these files and match on these files with rules?
I know that Suricata has a defragmentation engine (10.1. Suricata.yaml β€” Suricata 6.0.0 documentation) but does that apply here?
In some experiments I have done, this seemed to make no difference.
I’d appreciate it if anybody could explain this to me.
Best regards

Hi there!

With regards to defragmentation, what I can see having an impact could be the memcap, max-frags, and possibly also timeout. I imagine that the stream depth could also affect this (but that’s out of the scope of your question, I reckon).

I think you may be interested in checking 18. File Extraction β€” Suricata 6.0.13 documentation and 7.13. File Keywords β€” Suricata 6.0.13 documentation, maybe also 7.12. HTTP Keywords β€” Suricata 6.0.13 documentation.

I have never worked around this module, so this is as far as I can go, for now.

I hope you get some more in-depth answers soon!

Thank you very much for your answer!

1 Like