Project

General

Profile

Actions

Feature #1203

closed

TCP Fast Open support

Added by Renaud Dubourguais over 10 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

TCP Fast Open (http://tools.ietf.org/html/draft-cheng-tcpm-fastopen-00) is now supported by the Linux kernel since Linux 3.6. This feature allows a TCP client to transmit data in SYN packets. As Suricata don't analyse this kind of packet, by using this feature and sending evil payloads in SYN packets, someone could bypass the IDS.

Steps to reproduce:
1. Setup a nginx web server with the fastopen option (http://nginx.org/en/docs/http/ngx_http_core_module.html)
2. Setup Suricata to detect basic web vulnerability exploitations like a LFI
2. Download the POC (http://www.synacktiv.com/ressources/tfo_http_cli.py)
3. Run the POC without the TFO option:

$ python tfo_http_cli.py <server> <port> /?f=../../../../../../etc/passwd

Suricata detects the exploitation.

4. Run the POC with the TFO option:

$ python tfo_http_cli.py --tfo <server> <port> /?f=../../../../../../etc/passwd

Suricata DOESN'T detect the exploitation.


Files

tfo.pcap (3.52 KB) tfo.pcap TFO pcap Renaud Dubourguais, 06/09/2014 08:45 AM
Actions #1

Updated by Renaud Dubourguais over 10 years ago

The following PCAP is attached.

For testing, don't forget to set the following sysctl on the server side:

# sysctl net.ipv4.tcp_fastopen=3

Actions #2

Updated by Victor Julien about 10 years ago

  • Target version set to 3.0RC2

This should probably go into 2.1

Actions #3

Updated by Victor Julien over 9 years ago

  • Assignee deleted (Eric Leblond)
  • Target version changed from 3.0RC2 to TBD
Actions #4

Updated by Andreas Herz almost 9 years ago

  • Assignee set to OISF Dev
Actions #5

Updated by Victor Julien about 6 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 5.0beta1
Actions #6

Updated by Victor Julien over 5 years ago

  • Priority changed from Normal to High
Actions #7

Updated by Victor Julien over 5 years ago

  • Target version changed from 5.0beta1 to 5.0rc1
Actions #8

Updated by Victor Julien over 5 years ago

  • Assignee changed from Victor Julien to Jeff Lucovsky
Actions #9

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
Actions

Also available in: Atom PDF