Bug #1238: Possible evasion in stream-tcp-reassemble.c - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1238

closed

J. VJ

Possible evasion in stream-tcp-reassemble.c

Bug #1238: Possible evasion in stream-tcp-reassemble.c

Added by JmpCallPoo . almost 12 years ago. Updated over 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

2.0.3

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hello,

A possible evasion exist in Suricata.
The client can send a fake ACK whith a very low window size, to flag the stream as STREAMTCP_STREAM_FLAG_GAP.

This will be more clear with the PoC in attachement.

@JmpCallPoo

Files

Download all files

deseq_ACK.py (1.73 KB) deseq_ACK.py		JmpCallPoo ., 07/16/2014 06:42 AM
deseq_ACK.py (1.72 KB) deseq_ACK.py	Clean one	JmpCallPoo ., 07/16/2014 09:30 AM

History
Notes
Property changes

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Bug #1238

Possible evasion in stream-tcp-reassemble.c

J. Updated by JmpCallPoo . almost 12 years ago Actions
Copy link
#1

J. Updated by JmpCallPoo . almost 12 years ago Actions
Copy link
#2

VJ Updated by Victor Julien almost 12 years ago Actions
Copy link
#3

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
#4

Project

General

Profile

Suricata

Custom queries

Bug #1238

Possible evasion in stream-tcp-reassemble.c

J. Updated by JmpCallPoo . almost 12 years ago ActionsCopy link #1

J. Updated by JmpCallPoo . almost 12 years ago ActionsCopy link #2

VJ Updated by Victor Julien almost 12 years ago ActionsCopy link #3

VJ Updated by Victor Julien over 11 years ago ActionsCopy link #4

J. Updated by JmpCallPoo . almost 12 years ago Actions
Copy link
#1

J. Updated by JmpCallPoo . almost 12 years ago Actions
Copy link
#2

VJ Updated by Victor Julien almost 12 years ago Actions
Copy link
#3

VJ Updated by Victor Julien over 11 years ago Actions
Copy link
#4