Project

General

Profile

Actions

Bug #1722

open

ip rules don't trigger under the context of 'flow:stateless'

Added by Vincent Koski over 6 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The following rules were created and work to match fragmented packets coming into my network (attempt at overwhelming my IPS/IDS and/or DDoS - DNS reflection attacks usually are fragmented).

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragbits"; fragbits:M+; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:5; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragoffset"; fragoffset:>0; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:20; rev:1;)

I had the following two rules for the last 3 months, which were not working for me. The only difference is that i removed 'flow:stateless;' from them, and now they trigger properly.
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragbits broken"; flow:stateless; fragbits:M+; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:10; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragoffset broken"; flow:stateless; fragoffset:>0; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:15; rev:1;)

The following wiki article mentions using flow:stateless is acceptable, and doesn't mention it not being supported for protocol 'ip'. It seems like there should be a footnote mentioning that ip is stateless and that it won't work there - if thats the line of thought. I would have expected it to give me an error if it wouldn't work. I only recently found out that the rule wasn't firing and tried simplifying it as much as i could, which is when I made it work - without stateless. I would also think that if it doesn't apply suricata could silently ignore it.. ultimately these packets are usually UDP and the header looks a little different - again - udp is also stateless so i can imagine that the flow might also be ignored. I wish the documentation discussed some of this, or that suricata was a bit more verbose about the rules it likes, or that it was more fault tolerant of these keywords.

Thanks!
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords

Actions #1

Updated by Andreas Herz about 6 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Andreas Herz about 3 years ago

Do we have thoughts about that?

Actions #3

Updated by Victor Julien about 3 years ago

It should be fairly easy to create a test case using scapy. Anyone up for that?

Actions

Also available in: Atom PDF