Bug #1722
openip rules don't trigger under the context of 'flow:stateless'
Description
The following rules were created and work to match fragmented packets coming into my network (attempt at overwhelming my IPS/IDS and/or DDoS - DNS reflection attacks usually are fragmented).
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragbits"; fragbits:M+; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:5; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragoffset"; fragoffset:>0; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:20; rev:1;)
I had the following two rules for the last 3 months, which were not working for me. The only difference is that i removed 'flow:stateless;' from them, and now they trigger properly.
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragbits broken"; flow:stateless; fragbits:M+; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:10; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragoffset broken"; flow:stateless; fragoffset:>0; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:15; rev:1;)
The following wiki article mentions using flow:stateless is acceptable, and doesn't mention it not being supported for protocol 'ip'. It seems like there should be a footnote mentioning that ip is stateless and that it won't work there - if thats the line of thought. I would have expected it to give me an error if it wouldn't work. I only recently found out that the rule wasn't firing and tried simplifying it as much as i could, which is when I made it work - without stateless. I would also think that if it doesn't apply suricata could silently ignore it.. ultimately these packets are usually UDP and the header looks a little different - again - udp is also stateless so i can imagine that the flow might also be ignored. I wish the documentation discussed some of this, or that suricata was a bit more verbose about the rules it likes, or that it was more fault tolerant of these keywords.
Thanks!
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords
Updated by Andreas Herz almost 9 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien almost 6 years ago
It should be fairly easy to create a test case using scapy. Anyone up for that?
Updated by Juliana Fajardini Reichow about 2 months ago
- Assignee changed from OISF Dev to Juliana Fajardini Reichow
Will see to create the SV tickets and see how we want to proceed from there.
Updated by Juliana Fajardini Reichow 24 days ago
- Target version changed from TBD to 9.0.0-beta1