Project

General

Profile

Bug #2231

Redundant content checks may cause Suricata DoS condition on a insignificant traffic rate

Added by ajaxtpm ajaxtpm over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It is possible to make Suricata to perform lots of redundant checks on a content against a specially crafted network traffic with a certain signature. Search engine doesn't stop when it should after no match found and ends only on reaching inspection-recursion-limit (3000 by default).
This issue was fixed in 4.0 branch likely with the following fix: https://redmine.openinfosecfoundation.org/issues/2101

Results of scanning a crafted PCAP against ET Open signature sid:2016204
Suricata 3.2.x-master:

  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
  content          5479828         1510            1501            225789          3629.00         3632.00         3089.00
  pcre             3836615439      1491            0               17232405        2573182.00      0.00            2573182.00
  --------------------------------------------------------------------------------------------------------------------------------

Suricata 4.0:

  Stats for: total
  --------------------------------------------------------------------------------------------------------------------------------
  Keyword          Ticks           Checks          Matches         Max Ticks       Avg             Avg Match       Avg No Match
  ---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
  content          19060           4               3               8164            4765.00         5374.00         2936.00
  pcre             2938616         1               0               2938616         2938616.00      0.00            2938616.00
  --------------------------------------------------------------------------------------------------------------------------------

I've attached a sample pcap that I used for experiments

Files

History

#1

Updated by Victor Julien over 1 year ago

  • Description updated (diff)
  • Status changed from New to Assigned
  • Assignee set to Victor Julien
#2

Updated by Victor Julien over 1 year ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
#3

Updated by ajaxtpm ajaxtpm over 1 year ago

CVE-2017-15377 was requested for this flaw.

Also available in: Atom PDF