Project

General

Profile

Actions

Bug #3328

closed

bad ip option evasion

Added by Nicolas Adba almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata is vulnerable to bad ip option evasions.
Here are the pcaps of issue number 3286 with a bad ipv4 option.

I don't think it's exploitable in the wild because routers should drop the injected packets (I didn't test it thought).


Files

with_evasion_windows.pcap (1.26 KB) with_evasion_windows.pcap Nicolas Adba, 11/07/2019 08:25 PM
with_evasion_linux.pcap (1.43 KB) with_evasion_linux.pcap Nicolas Adba, 11/07/2019 08:25 PM
without_evasion.pcap (1.01 KB) without_evasion.pcap Nicolas Adba, 11/07/2019 08:25 PM
test.rule (147 Bytes) test.rule Nicolas Adba, 11/07/2019 08:25 PM

Related issues

Copied to Bug #3414: bad ip option evasion (4.1.x)ClosedJason IshActions
Actions #1

Updated by Andreas Herz almost 2 years ago

  • Assignee set to OISF Dev
  • Target version set to 70
Actions #2

Updated by Victor Julien almost 2 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish
  • Target version changed from 70 to 5.0.1
Actions #3

Updated by Victor Julien almost 2 years ago

  • Priority changed from Normal to High
  • Label Needs backport added
Actions #4

Updated by Victor Julien almost 2 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
  • Private changed from Yes to No
  • Label deleted (Needs backport)
Actions #5

Updated by Victor Julien almost 2 years ago

  • Copied to Bug #3414: bad ip option evasion (4.1.x) added
Actions

Also available in: Atom PDF