Project

General

Profile

Actions

Security #2501

closed

Suricata stops inspecting TCP stream if a TCP RST was met

Added by ajaxtpm ajaxtpm over 4 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

843d0b7a10bb45627f94764a6c5d468a24143345

Severity:

Description

Windows clients are able to process TCP data even if they arrived shortly after TCP RST packet so the current behaviour is logical but open door for IDS bypasses
PoC pcap attached.
The following signatures should alert on HTTP request and answer:

alert tcp any any -> any any (msg: "TCP BEEN NO_STREAM RULE"; flow: no_stream; content: "been"; sid: 1; )
alert tcp any any -> any any (msg: "TCP BEEN ONLY_STREAM RULE"; flow: only_stream; content: "been"; sid: 2; )
alert http any any -> any any (msg: "HTTP BEEN RULE"; content: "been"; sid: 3; )
alert tcp any any -> any any (msg: "TCP GET NO_STREAM RULE"; flow: no_stream; content: "GET"; sid: 4; )
alert tcp any any -> any any (msg: "TCP GET ONLY_STREAM RULE"; flow: only_stream; content: "GET"; sid: 5; )
alert http any any -> any any (msg: "HTTP GET RULE"; content: "GET"; sid: 6; )

but only sid 1 and 4 alerts.


Files

rst_server.pcap (1.32 KB) rst_server.pcap PoC pcap ajaxtpm ajaxtpm, 05/03/2018 02:20 PM
Actions

Also available in: Atom PDF