Feature #1203
closedTCP Fast Open support
Description
TCP Fast Open (http://tools.ietf.org/html/draft-cheng-tcpm-fastopen-00) is now supported by the Linux kernel since Linux 3.6. This feature allows a TCP client to transmit data in SYN packets. As Suricata don't analyse this kind of packet, by using this feature and sending evil payloads in SYN packets, someone could bypass the IDS.
Steps to reproduce:
1. Setup a nginx web server with the fastopen option (http://nginx.org/en/docs/http/ngx_http_core_module.html)
2. Setup Suricata to detect basic web vulnerability exploitations like a LFI
2. Download the POC (http://www.synacktiv.com/ressources/tfo_http_cli.py)
3. Run the POC without the TFO option:
$ python tfo_http_cli.py <server> <port> /?f=../../../../../../etc/passwd
Suricata detects the exploitation.
4. Run the POC with the TFO option:
$ python tfo_http_cli.py --tfo <server> <port> /?f=../../../../../../etc/passwd
Suricata DOESN'T detect the exploitation.
Files
RD Updated by Renaud Dubourguais almost 12 years ago
VJ Updated by Victor Julien over 11 years ago
- Target version set to 3.0RC2
This should probably go into 2.1
VJ Updated by Victor Julien almost 11 years ago
- Assignee deleted (
Eric Leblond) - Target version changed from 3.0RC2 to TBD
AH Updated by Andreas Herz over 10 years ago
- Assignee set to OISF Dev
VJ Updated by Victor Julien over 7 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 5.0beta1
VJ Updated by Victor Julien about 7 years ago
- Priority changed from Normal to High
VJ Updated by Victor Julien almost 7 years ago
- Target version changed from 5.0beta1 to 5.0rc1
VJ Updated by Victor Julien almost 7 years ago
- Assignee changed from Victor Julien to Jeff Lucovsky
VJ Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal