Feature #1203: TCP Fast Open support - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #1203

closed

TCP Fast Open support

Added by Renaud Dubourguais almost 10 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

5.0rc1

Effort:

Difficulty:

Label:

Description

TCP Fast Open (http://tools.ietf.org/html/draft-cheng-tcpm-fastopen-00) is now supported by the Linux kernel since Linux 3.6. This feature allows a TCP client to transmit data in SYN packets. As Suricata don't analyse this kind of packet, by using this feature and sending evil payloads in SYN packets, someone could bypass the IDS.

Steps to reproduce:
1. Setup a nginx web server with the fastopen option (http://nginx.org/en/docs/http/ngx_http_core_module.html)
2. Setup Suricata to detect basic web vulnerability exploitations like a LFI
2. Download the POC (http://www.synacktiv.com/ressources/tfo_http_cli.py)
3. Run the POC without the TFO option:

$ python tfo_http_cli.py <server> <port> /?f=../../../../../../etc/passwd

Suricata detects the exploitation.

4. Run the POC with the TFO option:

$ python tfo_http_cli.py --tfo <server> <port> /?f=../../../../../../etc/passwd

Suricata DOESN'T detect the exploitation.

Files

tfo.pcap (3.52 KB) tfo.pcap

TFO pcap

Renaud Dubourguais, 06/09/2014 08:45 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #1203

TCP Fast Open support

Updated by Renaud Dubourguais almost 10 years ago

Updated by Victor Julien almost 10 years ago

Updated by Victor Julien almost 9 years ago

Updated by Andreas Herz over 8 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien about 5 years ago

Updated by Victor Julien about 5 years ago

Updated by Victor Julien almost 5 years ago

Updated by Victor Julien over 4 years ago