Project

General

Profile

Actions

Security #2501

closed

Suricata stops inspecting TCP stream if a TCP RST was met

Added by ajaxtpm ajaxtpm over 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

843d0b7a10bb45627f94764a6c5d468a24143345

Severity:
Disclosure Date:

Description

Windows clients are able to process TCP data even if they arrived shortly after TCP RST packet so the current behaviour is logical but open door for IDS bypasses
PoC pcap attached.
The following signatures should alert on HTTP request and answer:

alert tcp any any -> any any (msg: "TCP BEEN NO_STREAM RULE"; flow: no_stream; content: "been"; sid: 1; )
alert tcp any any -> any any (msg: "TCP BEEN ONLY_STREAM RULE"; flow: only_stream; content: "been"; sid: 2; )
alert http any any -> any any (msg: "HTTP BEEN RULE"; content: "been"; sid: 3; )
alert tcp any any -> any any (msg: "TCP GET NO_STREAM RULE"; flow: no_stream; content: "GET"; sid: 4; )
alert tcp any any -> any any (msg: "TCP GET ONLY_STREAM RULE"; flow: only_stream; content: "GET"; sid: 5; )
alert http any any -> any any (msg: "HTTP GET RULE"; content: "GET"; sid: 6; )

but only sid 1 and 4 alerts.


Files

rst_server.pcap (1.32 KB) rst_server.pcap PoC pcap ajaxtpm ajaxtpm, 05/03/2018 02:20 PM
Actions #1

Updated by Andreas Herz over 6 years ago

  • Assignee set to OISF Dev
  • Private changed from No to Yes

Setting it to private due to bypass issue unless Victor thinks it's not that bad :)

Thanks for reporting with a .pcap attached

Actions #2

Updated by ajaxtpm ajaxtpm over 6 years ago

Hi Andreas,

Any news on that?

Actions #3

Updated by Victor Julien over 6 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
Actions #4

Updated by Peter Manev over 6 years ago

Out of curiosity - from your tests/observations - is that with any windows client OS or specific to a windows OS version?

Actions #5

Updated by ajaxtpm ajaxtpm over 6 years ago

Peter Manev wrote:

Out of curiosity - from your tests/observations - is that with any windows client OS or specific to a windows OS version?

Hi Peter,

Windows 7/8/10 behave the same. I think it works with any windows OS

Actions #6

Updated by ajaxtpm ajaxtpm over 6 years ago

Hi guys, do you have any updates on it ?

Actions #7

Updated by Andreas Herz over 6 years ago

We're still working on that, sorry :/

Actions #8

Updated by Victor Julien over 6 years ago

  • Target version changed from 4.1beta1 to 4.1rc1
Actions #9

Updated by Victor Julien over 6 years ago

  • Status changed from Assigned to Closed
  • Private changed from Yes to No
Actions #10

Updated by Victor Julien over 4 years ago

  • Tracker changed from Bug to Security
  • CVE set to 2018-14568
  • Git IDs updated (diff)
Actions

Also available in: Atom PDF