Security #2501
closedSuricata stops inspecting TCP stream if a TCP RST was met
843d0b7a10bb45627f94764a6c5d468a24143345
Description
Windows clients are able to process TCP data even if they arrived shortly after TCP RST packet so the current behaviour is logical but open door for IDS bypasses
PoC pcap attached.
The following signatures should alert on HTTP request and answer:
alert tcp any any -> any any (msg: "TCP BEEN NO_STREAM RULE"; flow: no_stream; content: "been"; sid: 1; )
alert tcp any any -> any any (msg: "TCP BEEN ONLY_STREAM RULE"; flow: only_stream; content: "been"; sid: 2; )
alert http any any -> any any (msg: "HTTP BEEN RULE"; content: "been"; sid: 3; )
alert tcp any any -> any any (msg: "TCP GET NO_STREAM RULE"; flow: no_stream; content: "GET"; sid: 4; )
alert tcp any any -> any any (msg: "TCP GET ONLY_STREAM RULE"; flow: only_stream; content: "GET"; sid: 5; )
alert http any any -> any any (msg: "HTTP GET RULE"; content: "GET"; sid: 6; )
but only sid 1 and 4 alerts.
Files
Updated by Andreas Herz over 6 years ago
- Assignee set to OISF Dev
- Private changed from No to Yes
Setting it to private due to bypass issue unless Victor thinks it's not that bad :)
Thanks for reporting with a .pcap attached
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Updated by Peter Manev over 6 years ago
Out of curiosity - from your tests/observations - is that with any windows client OS or specific to a windows OS version?
Updated by ajaxtpm ajaxtpm over 6 years ago
Peter Manev wrote:
Out of curiosity - from your tests/observations - is that with any windows client OS or specific to a windows OS version?
Hi Peter,
Windows 7/8/10 behave the same. I think it works with any windows OS
Updated by ajaxtpm ajaxtpm over 6 years ago
Hi guys, do you have any updates on it ?
Updated by Victor Julien over 6 years ago
- Target version changed from 4.1beta1 to 4.1rc1
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed
- Private changed from Yes to No
Updated by Victor Julien over 4 years ago
- Tracker changed from Bug to Security
- CVE set to 2018-14568
- Git IDs updated (diff)