The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets.
Impact
If using the defrag option (enabled by default) Suricata will see fragmented packets that are re-assembled to larger than 1514 byte as truncated.
Patches
Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues.
Workarounds
For inline modes, disable defrag if not done already. This is recommended for inline use even after upgrading. For passive IDS mode, tpacket-v3 can be enabled with a block-size of at least 131072 bytes.
References
https://redmine.openinfosecfoundation.org/issues/7458
The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets.
Impact
If using the defrag option (enabled by default) Suricata will see fragmented packets that are re-assembled to larger than 1514 byte as truncated.
Patches
Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues.
Workarounds
For inline modes, disable defrag if not done already. This is recommended for inline use even after upgrading. For passive IDS mode, tpacket-v3 can be enabled with a block-size of at least 131072 bytes.
References
https://redmine.openinfosecfoundation.org/issues/7458