Saturday, December 14, 2013

Suricata - per host/network fragmentation timeouts


Suricata can have the ip fragmentation time out values on a configurable per network/host basis in the suricata.yaml.

Through a light but time consuming research it (frag timeout) seems to be different for the different OSs . It does not matter if the system is 32 or 64 bit, but it does matter if it handles IPv4 or IPv6 addresses. Most of those values you can find under /proc/sys/net/ipv4/ipfrag_time (or using sysctl -a) on most of the Linux/Unix systems – the amount of time a fragment will be kept in memory, after that it will be discarded.

All  (default) values in seconds ->
IPv4:
Suse - 20
CentOS - 30
Ubuntu - 30
Debian - 30
Fedora - 30
Windows (all) - hard coded, can not be changed – 60

IPv6:
Suse - 60
CentOS - 60
Ubuntu - 60
Debian - 60
Fedora - 60
Windows (all) – hardcoded, can not be changed – 60

There are other ip fragmentation values that differ for the different OSs as well. Some values could not have the default value due to network/OS/application specific tuning and other reasons.

However for those hosts and networks that you are sure and know what the timeouts are in seconds - you could use the defrag timeout values in suricata.yaml section and accordingly. That way Suricata will inspect the ip fragments with the same timeouts as the receiving hosts.


Setup defrag timeouts on a per network/host type basics:
# Enable defrag per host settings
  host-config:

    - dmz:
        timeout: 30
        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]

    - lan:
        timeout: 45
        address:
          - 192.168.0.0/24
          - 192.168.10.0/24
          - 172.16.14.0/24





No comments:

Post a Comment