Project

General

Profile

Actions
Copy link

Security #2501

closed

Suricata stops inspecting TCP stream if a TCP RST was met

Added by ajaxtpm ajaxtpm almost 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.1rc1
Affected Versions:
4.0.1
Label:
CVE:
2018-14568
Git IDs:

843d0b7a10bb45627f94764a6c5d468a24143345

Severity:
Disclosure Date:

Description

Windows clients are able to process TCP data even if they arrived shortly after TCP RST packet so the current behaviour is logical but open door for IDS bypasses
PoC pcap attached.
The following signatures should alert on HTTP request and answer:

alert tcp any any -> any any (msg: "TCP BEEN NO_STREAM RULE"; flow: no_stream; content: "been"; sid: 1; )
alert tcp any any -> any any (msg: "TCP BEEN ONLY_STREAM RULE"; flow: only_stream; content: "been"; sid: 2; )
alert http any any -> any any (msg: "HTTP BEEN RULE"; content: "been"; sid: 3; )
alert tcp any any -> any any (msg: "TCP GET NO_STREAM RULE"; flow: no_stream; content: "GET"; sid: 4; )
alert tcp any any -> any any (msg: "TCP GET ONLY_STREAM RULE"; flow: only_stream; content: "GET"; sid: 5; )
alert http any any -> any any (msg: "HTTP GET RULE"; content: "GET"; sid: 6; )

but only sid 1 and 4 alerts.

Files

rst_server.pcap (1.32 KB) rst_server.pcap PoC pcap ajaxtpm ajaxtpm, 05/03/2018 02:20 PM
Actions
Copy link

Also available in: Atom PDF