Feature #1203
closedTCP Fast Open support
Description
TCP Fast Open (http://tools.ietf.org/html/draft-cheng-tcpm-fastopen-00) is now supported by the Linux kernel since Linux 3.6. This feature allows a TCP client to transmit data in SYN packets. As Suricata don't analyse this kind of packet, by using this feature and sending evil payloads in SYN packets, someone could bypass the IDS.
Steps to reproduce:
1. Setup a nginx web server with the fastopen option (http://nginx.org/en/docs/http/ngx_http_core_module.html)
2. Setup Suricata to detect basic web vulnerability exploitations like a LFI
2. Download the POC (http://www.synacktiv.com/ressources/tfo_http_cli.py)
3. Run the POC without the TFO option:
$ python tfo_http_cli.py <server> <port> /?f=../../../../../../etc/passwd
Suricata detects the exploitation.
4. Run the POC with the TFO option:
$ python tfo_http_cli.py --tfo <server> <port> /?f=../../../../../../etc/passwd
Suricata DOESN'T detect the exploitation.
Files
Updated by Renaud Dubourguais almost 10 years ago
The following PCAP is attached.
For testing, don't forget to set the following sysctl on the server side:
# sysctl net.ipv4.tcp_fastopen=3
Updated by Victor Julien almost 10 years ago
- Target version set to 3.0RC2
This should probably go into 2.1
Updated by Victor Julien almost 9 years ago
- Assignee deleted (
Eric Leblond) - Target version changed from 3.0RC2 to TBD
Updated by Victor Julien over 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 5.0beta1
Updated by Victor Julien almost 5 years ago
- Target version changed from 5.0beta1 to 5.0rc1
Updated by Victor Julien almost 5 years ago
- Assignee changed from Victor Julien to Jeff Lucovsky
Updated by Victor Julien over 4 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal