Project

General

Profile

Actions

Feature #1203

closed

TCP Fast Open support

Added by Renaud Dubourguais almost 10 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

TCP Fast Open (http://tools.ietf.org/html/draft-cheng-tcpm-fastopen-00) is now supported by the Linux kernel since Linux 3.6. This feature allows a TCP client to transmit data in SYN packets. As Suricata don't analyse this kind of packet, by using this feature and sending evil payloads in SYN packets, someone could bypass the IDS.

Steps to reproduce:
1. Setup a nginx web server with the fastopen option (http://nginx.org/en/docs/http/ngx_http_core_module.html)
2. Setup Suricata to detect basic web vulnerability exploitations like a LFI
2. Download the POC (http://www.synacktiv.com/ressources/tfo_http_cli.py)
3. Run the POC without the TFO option:

$ python tfo_http_cli.py <server> <port> /?f=../../../../../../etc/passwd

Suricata detects the exploitation.

4. Run the POC with the TFO option:

$ python tfo_http_cli.py --tfo <server> <port> /?f=../../../../../../etc/passwd

Suricata DOESN'T detect the exploitation.


Files

tfo.pcap (3.52 KB) tfo.pcap TFO pcap Renaud Dubourguais, 06/09/2014 08:45 AM
Actions

Also available in: Atom PDF