Project

General

Profile

Actions

Feature #2767

open

Interception of network stack attacks

Added by Nikolay Lyamin over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Hello, Team!
Please add the ability to detect bytes in traffic that is not included under the transport or network layer.
For example, a broken UDP packet in which there is a payload for RCE vulnerability. In this packet the size of UDP and IP (fields «Total Length» of IP and «Length» of UDP) was cuted in the hex editor. Only 1 byte for the size of the data is specified in the UDP header (in the image from attach it's Data 06). But the "evil" payload in the packet remained outside UDP |00 00 05 00 01 00 00|. It is not possible to detect this data by suricata.
Best regards, Nikolay Lyamin


Files

attach.png (79.4 KB) attach.png Nikolay Lyamin, 01/09/2019 09:46 AM
udp_corrupt.pcap (90 Bytes) udp_corrupt.pcap Nikolay Lyamin, 01/09/2019 11:59 AM
Actions #1

Updated by Peter Manev over 5 years ago

Is it possible to share the actual pcap?

Actions #2

Updated by Nikolay Lyamin over 5 years ago

yes, sure

Actions #3

Updated by Victor Julien over 5 years ago

I see wireshark shows the extra bytes as 'eth.trailer'. I guess there are several ways we can deal with that: set a decoder event, or add a match that can look at the size, or fully expose the data for content inspection. What would be useful? Normally this data should not reach an application.

Actions #4

Updated by Andreas Herz over 5 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD
Actions

Also available in: Atom PDF