Project

General

Profile

Actions

Bug #1370

open

sctp fp on suricata engine

Added by rmkml rmkml almost 8 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,

I'm continue Suricata testing and 1) found a fp with this (simplified) sig on joigned sctp pcap file:

alert ip any any -> any any (msg:"SCTP Suricata test 1"; ip_proto:132; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:1; rev:1; )

-> Suricata v2.0.6 fire or v2.1beta2 fire but NOT snort2.

02/18/2005-09:49:58.694007 [**] [1:1:1] SCTP Suricata test 1 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {SCTP} 192.168.170.56:7 -> 192.168.170.8:7

tcpdump dump with joigned sctp pcap file:

09:49:58.694007 IP (tos 0x0, ttl 128, id 45300, offset 0, flags [none], proto SCTP (132), length560)
192.168.170.56.7 > 192.168.170.8.7: sctp
1) [DATA] (U)(B)(E) [TSN: 13852] [SID: 8] [SSEQ 0] [PPID 0x0] [Payload]
0x0000: 4500 0230 b0f4 0000 8084 b1c3 c0a8 aa38 E..0...........8
0x0010: c0a8 aa08 0007 0007 4323 2544 3ade fb02 ........C#%D:...
0x0020: 0007 0210 0000 361c 0008 0000 0000 0000 ......6.........
---------
...

2) or suricata fp (but not snort2) with this similar sig without ip_proto:132 :

alert ip any any -> any any (msg:"SCTP Suricata test 2"; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:2; rev:1; )

02/18/2005-09:49:58.694007 [**] [1:2:1] SCTP Suricata test 3 [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {SCTP} 192.168.170.56:7 -> 192.168.170.8:7

3) for information, post a true sig sctp fire:

alert sctp any any -> any any (msg:"SCTP Suricata test 3"; content:"|00 07 02 10|"; offset:0; depth:4; classtype:attempted-admin; sid:3; rev:1; )

Please check.

Regards
@rmkml rmkml


Files

suricata_sctp.pcap (720 Bytes) suricata_sctp.pcap rmkml rmkml, 01/28/2015 03:31 PM
Actions #1

Updated by Eric Leblond almost 8 years ago

I acknowledge the issue.

The provided pcap is containing a single packet which is containing a chunk of data (see http://en.wikipedia.org/wiki/SCTP_packet_structure for what a chunk is). The proposed signature is doing a match on data that match the content of the chunk header.

Current sctp support in Suricata is not addressing the data part. It is just parsing the header to be able to limit the match with a port based. Fixing this FP would require to develop chunks parsing in Suricata.

Actions #2

Updated by Andreas Herz about 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #3

Updated by Andreas Herz over 3 years ago

Still reproducible in 5.0 beta.

Actions

Also available in: Atom PDF