Project

General

Profile

Actions
Copy link

Bug #3518

closed

Bypass of Payload detection on TCP Teardown

Added by Guillermo Muñoz about 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
4.1.5
Effort:
Difficulty:
Label:

Description

While configuring Suricata on inline mode with established tcp connections, it is possible to bypass its detection by sending the custom payload before closing the connection on the TCP teardown.
  1. cat /etc/suricata/rules/local.rules
    alert tcp any any -> any any (msg:"WEB ATTACKS /etc/passwd command attempt"; flow:established; content:"/etc/passwd";classtype:web-application-attack;sid:1328;rev:6;)
  1. suricata -c /etc/suricata/suricata.yaml -i eth0

Client Server
SYN SYN,ACK
ACK

FIN,ACK FIN,ACK
ACK, packet with content "/etc/passwd"
ACK RST

I consider this a bug because Suricata triggers the alert on receiving the same content in the same scenario but specifying the rest of the flags. Moreover, SNORT configured with the same settings and scenario triggers an alert.

Files

Download all files
Screen Shot 2020-03-08 at 18.37.47.png (253 KB) Screen Shot 2020-03-08 at 18.37.47.png Guillermo Muñoz, 03/08/2020 05:39 PM
Screen Shot 2020-03-08 at 18.38.43.png (255 KB) Screen Shot 2020-03-08 at 18.38.43.png Guillermo Muñoz, 03/08/2020 05:39 PM
Screen Shot 2020-03-08 at 18.28.03.png (138 KB) Screen Shot 2020-03-08 at 18.28.03.png Guillermo Muñoz, 03/08/2020 05:39 PM
Screen Shot 2020-03-08 at 18.42.13.png (144 KB) Screen Shot 2020-03-08 at 18.42.13.png Guillermo Muñoz, 03/08/2020 05:44 PM
Screen Shot 2020-03-08 at 18.42.43.png (258 KB) Screen Shot 2020-03-08 at 18.42.43.png Guillermo Muñoz, 03/08/2020 05:44 PM
Screen Shot 2020-03-08 at 18.43.35.png (13.8 KB) Screen Shot 2020-03-08 at 18.43.35.png Guillermo Muñoz, 03/08/2020 05:44 PM
suricata-issue.pcapng (1.1 KB) suricata-issue.pcapng Guillermo Muñoz, 03/08/2020 05:47 PM
Actions
Copy link

Also available in: Atom PDF