Bug #1722
openip rules don't trigger under the context of 'flow:stateless'
Description
The following rules were created and work to match fragmented packets coming into my network (attempt at overwhelming my IPS/IDS and/or DDoS - DNS reflection attacks usually are fragmented).
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragbits"; fragbits:M+; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:5; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragoffset"; fragoffset:>0; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:20; rev:1;)
I had the following two rules for the last 3 months, which were not working for me. The only difference is that i removed 'flow:stateless;' from them, and now they trigger properly.
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragbits broken"; flow:stateless; fragbits:M+; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:10; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"fragoffset broken"; flow:stateless; fragoffset:>0; threshold:type both, track by_dst, count 5000, seconds 5; classtype:attempted-dos; sid:15; rev:1;)
The following wiki article mentions using flow:stateless is acceptable, and doesn't mention it not being supported for protocol 'ip'. It seems like there should be a footnote mentioning that ip is stateless and that it won't work there - if thats the line of thought. I would have expected it to give me an error if it wouldn't work. I only recently found out that the rule wasn't firing and tried simplifying it as much as i could, which is when I made it work - without stateless. I would also think that if it doesn't apply suricata could silently ignore it.. ultimately these packets are usually UDP and the header looks a little different - again - udp is also stateless so i can imagine that the flow might also be ignored. I wish the documentation discussed some of this, or that suricata was a bit more verbose about the rules it likes, or that it was more fault tolerant of these keywords.
Thanks!
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flow-keywords
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien about 5 years ago
It should be fairly easy to create a test case using scapy. Anyone up for that?