Project

General

Profile

Actions
Copy link

Bug #2639

closed

Alert for tcp rules with established without 3whs

Added by Paulo Pacheco over 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
6.0.0beta1
Affected Versions:
4.0beta1, 4.0.0, 4.0.1
Effort:
Difficulty:
Label:

Description

I am seeing alerts being created when having a rule for tcp with the flow keyword 'established' while processing packets for a "session" without a 3whs.

To reproduce this we can send a few tcp packets with the psh flag and having some content payload. The rst flag to_client will create the flow.

 for i in {1..2}; do sudo hping3 127.0.0.1 -c 1 -d 6 -E match -p 1212 -P -A; done

The rule to test should be like this:

alert tcp 127.0.0.1 any -> 127.0.0.1 1212 ( msg:"RULE:to_server,established #1"; content:"MATCH?"; flow:to_server,established; priority:3; sid:2; )

I'm attaching the pcap, eve.json and fast.log

To workaround this, I put only_stream on every rules.

Files

no-3whs.tgz (953 Bytes) no-3whs.tgz established-issue-for-non-3whs Paulo Pacheco, 10/10/2018 09:29 AM
Actions
Copy link

Also available in: Atom PDF