Bug #1370
opensctp fp on suricata engine
Description
Hello,
I'm continue Suricata testing and 1) found a fp with this (simplified) sig on joigned sctp pcap file:
alert ip any any -> any any (msg:"SCTP Suricata test 1"; ip_proto:132; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:1; rev:1; )
-> Suricata v2.0.6 fire or v2.1beta2 fire but NOT snort2.
02/18/2005-09:49:58.694007 [**] [1:1:1] SCTP Suricata test 1 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {SCTP} 192.168.170.56:7 -> 192.168.170.8:7
tcpdump dump with joigned sctp pcap file:
09:49:58.694007 IP (tos 0x0, ttl 128, id 45300, offset 0, flags [none], proto SCTP (132), length560)
192.168.170.56.7 > 192.168.170.8.7: sctp
1) [DATA] (U)(B)(E) [TSN: 13852] [SID: 8] [SSEQ 0] [PPID 0x0] [Payload]
0x0000: 4500 0230 b0f4 0000 8084 b1c3 c0a8 aa38 E..0...........8
0x0010: c0a8 aa08 0007 0007 4323 2544 3ade fb02 ........C#%D:...
0x0020: 0007 0210 0000 361c 0008 0000 0000 0000 ......6.........
---------
...
2) or suricata fp (but not snort2) with this similar sig without ip_proto:132 :
alert ip any any -> any any (msg:"SCTP Suricata test 2"; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:2; rev:1; )
02/18/2005-09:49:58.694007 [**] [1:2:1] SCTP Suricata test 3 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {SCTP} 192.168.170.56:7 -> 192.168.170.8:7
3) for information, post a true sig sctp fire:
alert sctp any any -> any any (msg:"SCTP Suricata test 3"; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:3; rev:1; )
Please check.
Regards
@rmkml rmkml
Files
Updated by Eric Leblond almost 10 years ago
I acknowledge the issue.
The provided pcap is containing a single packet which is containing a chunk of data (see http://en.wikipedia.org/wiki/SCTP_packet_structure for what a chunk is). The proposed signature is doing a match on data that match the content of the chunk header.
Current sctp support in Suricata is not addressing the data part. It is just parsing the header to be able to limit the match with a port based. Fixing this FP would require to develop chunks parsing in Suricata.
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Philippe Antoine about 1 year ago
- Related to Task #4251: protocol: SCTP support added