Bug #3518
closedBypass of Payload detection on TCP Teardown
Description
- cat /etc/suricata/rules/local.rules
alert tcp any any -> any any (msg:"WEB ATTACKS /etc/passwd command attempt"; flow:established; content:"/etc/passwd";classtype:web-application-attack;sid:1328;rev:6;)
- suricata -c /etc/suricata/suricata.yaml -i eth0
Client Server
SYN SYN,ACK
ACK
FIN,ACK FIN,ACK
ACK, packet with content "/etc/passwd"
ACK RST
I consider this a bug because Suricata triggers the alert on receiving the same content in the same scenario but specifying the rest of the flags. Moreover, SNORT configured with the same settings and scenario triggers an alert.
Files
Updated by Guillermo Muñoz almost 5 years ago
- File Screen Shot 2020-03-08 at 18.42.13.png Screen Shot 2020-03-08 at 18.42.13.png added
- File Screen Shot 2020-03-08 at 18.42.43.png Screen Shot 2020-03-08 at 18.42.43.png added
- File Screen Shot 2020-03-08 at 18.43.35.png Screen Shot 2020-03-08 at 18.43.35.png added
- File suricata-issue.pcapng suricata-issue.pcapng added
I am attaching the .pcap as well as three more clear screenshots. Please replace the file "Screen Shot 2020-03-08 at 18.28.03.png" with "Screen Shot 2020-03-08 at 18.42.13.png". i also attach a capture of the traffic.
Updated by Guillermo Muñoz almost 5 years ago
I have verified that if we send the last ACK of the teardown and we attempt to send the custom payload, suricata is working well and triggering the alert thus confirming the bug exists.
Updated by Victor Julien almost 5 years ago
Can you test about the recent version (4.1.7/5.0.2)? We're often fixing issues so please always report against the latest stable version.
Updated by Victor Julien over 4 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
The pcap is rejected by (somewhat) recent versions of libpcap:
[9397] 20/3/2020 -- 09:22:37 - (source-pcap-file-helper.c:202) <Error> (InitPcapFile) -- [ERRCODE: SC_ERR_FOPEN(44)] - invalid interface capture length 524288, bigger than maximum of 262144
I fixed that up
tshark -F pcap -r suricata-issue.pcapng -w input.pcap
And then the pcap is processed and the alert is generated:
[9534] 20/3/2020 -- 09:24:16 - (tm-threads.c:2010) <Notice> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 4 management threads initialized, engine started. [9535] 20/3/2020 -- 09:24:16 - (source-pcap-file.c:175) <Info> (ReceivePcapFileLoop) -- Starting file run for /home/victor/sync/devel/suricata-verify/tests/issue-3518/input.pcap [9535] 20/3/2020 -- 09:24:16 - (source-pcap-file-helper.c:157) <Info> (PcapFileDispatch) -- pcap file /home/victor/sync/devel/suricata-verify/tests/issue-3518/input.pcap end of file reached (pcap err code 0) [9534] 20/3/2020 -- 09:24:16 - (suricata.c:2908) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine. [9534] 20/3/2020 -- 09:24:16 - (suricata.c:1088) <Info> (SCPrintElapsedTime) -- time elapsed 0.061s [9535] 20/3/2020 -- 09:24:16 - (source-pcap-file.c:376) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 8 packets, 461 bytes [9534] 20/3/2020 -- 09:24:16 - (counters.c:853) <Info> (StatsLogSummary) -- Alerts: 1
Alert:
{
"timestamp": "2020-03-08T18:41:44.423065+0100",
"flow_id": 1481204001436825,
"event_type": "alert",
"src_ip": "192.168.210.1",
"src_port": 63035,
"dest_ip": "192.168.210.141",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1328,
"rev": 6,
"signature": "WEB ATTACKS /etc/passwd command attempt",
"category": "Web Application Attack",
"severity": 1
},
"flow": {
"pkts_toserver": 5,
"pkts_toclient": 3,
"bytes_toserver": 281,
"bytes_toclient": 180,
"start": "2020-03-08T18:41:44.423065+0100"
}
}
Am I missing something?
Updated by Victor Julien about 3 years ago
- Status changed from Assigned to Closed
- Assignee deleted (
Victor Julien)