can anybody clarify something for me:
When somebody fragments some malicious files in hundreds or thousands fragments and sends them to a network protected by Suricata (assuming the flow is the same, i.e., the quintuple (Dst Port, Src Port, Dst Ip, Src IP, protocol) is the same) - How is Suricata able to defragment these files and match on these files with rules?
I know that Suricata has a defragmentation engine (10.1. Suricata.yaml — Suricata 6.0.0 documentation) but does that apply here?
In some experiments I have done, this seemed to make no difference.
I’d appreciate it if anybody could explain this to me.