Feature #2767: Interception of network stack attacks - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #2767

open

Interception of network stack attacks

Added by Nikolay Lyamin over 5 years ago. Updated almost 5 years ago.

Status:

New

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Hello, Team!
Please add the ability to detect bytes in traffic that is not included under the transport or network layer.
For example, a broken UDP packet in which there is a payload for RCE vulnerability. In this packet the size of UDP and IP (fields «Total Length» of IP and «Length» of UDP) was cuted in the hex editor. Only 1 byte for the size of the data is specified in the UDP header (in the image from attach it's Data 06). But the "evil" payload in the packet remained outside UDP |00 00 05 00 01 00 00|. It is not possible to detect this data by suricata.
Best regards, Nikolay Lyamin

Files

Download all files

attach.png (79.4 KB) attach.png		Nikolay Lyamin, 01/09/2019 09:46 AM
udp_corrupt.pcap (90 Bytes) udp_corrupt.pcap		Nikolay Lyamin, 01/09/2019 11:59 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #2767

Interception of network stack attacks

Updated by Peter Manev over 5 years ago

Updated by Nikolay Lyamin over 5 years ago

Updated by Victor Julien about 5 years ago

Updated by Andreas Herz almost 5 years ago