Security #2501: Suricata stops inspecting TCP stream if a TCP RST was met - Suricata - Open Information Security Foundation

Actions

Security #2501

closed

AA VJ

Suricata stops inspecting TCP stream if a TCP RST was met

Security #2501: Suricata stops inspecting TCP stream if a TCP RST was met

Added by ajaxtpm ajaxtpm almost 8 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Label:

CVE:

Git IDs:

843d0b7a10bb45627f94764a6c5d468a24143345

Severity:

Disclosure Date:

Description

Windows clients are able to process TCP data even if they arrived shortly after TCP RST packet so the current behaviour is logical but open door for IDS bypasses
PoC pcap attached.
The following signatures should alert on HTTP request and answer:

alert tcp any any -> any any (msg: "TCP BEEN NO_STREAM RULE"; flow: no_stream; content: "been"; sid: 1; )
alert tcp any any -> any any (msg: "TCP BEEN ONLY_STREAM RULE"; flow: only_stream; content: "been"; sid: 2; )
alert http any any -> any any (msg: "HTTP BEEN RULE"; content: "been"; sid: 3; )
alert tcp any any -> any any (msg: "TCP GET NO_STREAM RULE"; flow: no_stream; content: "GET"; sid: 4; )
alert tcp any any -> any any (msg: "TCP GET ONLY_STREAM RULE"; flow: only_stream; content: "GET"; sid: 5; )
alert http any any -> any any (msg: "HTTP GET RULE"; content: "GET"; sid: 6; )

but only sid 1 and 4 alerts.

Files

rst_server.pcap (1.32 KB) rst_server.pcap

PoC pcap

ajaxtpm ajaxtpm, 05/03/2018 02:20 PM

AH Updated by Andreas Herz almost 8 years ago Actions
Copy link
#1

Assignee set to OISF Dev
Private changed from No to Yes

Setting it to private due to bypass issue unless Victor thinks it's not that bad :)

Thanks for reporting with a .pcap attached

AA Updated by ajaxtpm ajaxtpm almost 8 years ago Actions
Copy link
#2

Hi Andreas,

Any news on that?

VJ Updated by Victor Julien almost 8 years ago Actions
Copy link
#3

Status changed from New to Assigned
Assignee changed from OISF Dev to Victor Julien

PM Updated by Peter Manev almost 8 years ago Actions
Copy link
#4

Out of curiosity - from your tests/observations - is that with any windows client OS or specific to a windows OS version?

AA Updated by ajaxtpm ajaxtpm almost 8 years ago Actions
Copy link
#5

Peter Manev wrote:

Out of curiosity - from your tests/observations - is that with any windows client OS or specific to a windows OS version?

Hi Peter,

Windows 7/8/10 behave the same. I think it works with any windows OS

AA Updated by ajaxtpm ajaxtpm almost 8 years ago Actions
Copy link
#6

Hi guys, do you have any updates on it ?

AH Updated by Andreas Herz almost 8 years ago Actions
Copy link
#7

We're still working on that, sorry :/

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
#8

Target version changed from 4.1beta1 to 4.1rc1

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
#9

Status changed from Assigned to Closed
Private changed from Yes to No

https://github.com/OISF/suricata/pull/3428/commits/843d0b7a10bb45627f94764a6c5d468a24143345

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
#10

Tracker changed from Bug to Security
CVE set to 2018-14568
Git IDs updated (diff)

Actions

Also available in: PDF Atom