Project

General

Profile

Actions
Copy link

Bug #2511

closed

Suricata gzip unpacker bypass

Added by ajaxtpm ajaxtpm almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.1rc1
Affected Versions:
Effort:
medium
Difficulty:
medium
Label:

Description

Suricata gzip unpacker may be easily bypassed by nested gzip/identity compressions.
I know there is option "response-body-decompress-layer-limit" set to 2 by default, but it is incredebly easy to bypass. Snort IDS does all layers decompression (sorry for comparison).

Example:
HTTP/1.1 200 OK
Content-Encoding: identity, identity, gzip, identity, gzip, gzip

Signatures:
alert http any any -> any any (msg: "RESPONSE UNGZIPPED"; flow: established, from_server; content: "Hi"; http_server_body; nocase; sid: 1; rev: 1; )
alert http any any -> any any (msg: "FROM_SERVER |1F 8B|"; flow: established, from_server; content: "|1F 8B|"; http_server_body; nocase; sid: 2; rev: 1; )

Pcap attached

Expectation: alert sid 1
Reality: alert sid 2

Files

response_identity_identity_gzip_identity_gzip_gzip.pcap (1.53 KB) response_identity_identity_gzip_identity_gzip_gzip.pcap ajaxtpm ajaxtpm, 06/04/2018 04:59 PM
Actions
Copy link

Also available in: Atom PDF