Bug #3521: Bypass of Detection Capabilities - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #3521

closed

Bypass of Detection Capabilities

Added by Guillermo Muñoz about 4 years ago. Updated over 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

4.1.5

Effort:

low

Difficulty:

low

Label:

Protocol

Description

Dear colleagues,

I have noticed that Suricata signatures (i.e. file provided to Suricata using the -s option) do not detect data located on established connections with TCP Fast Open (TFO) on established connections:

cat /etc/suricata/rules/local.rules
alert tcp any any -> any any (msg:"WEB-ATTACKS /etc/passwd command attempt"; flow:established; content:"/etc/passwd"; classtype:web-application-attack; sid:1328; rev:6;)

suricata -V
This is Suricata version 4.1.5 RELEASE

suricata -c /etc/suricata/suricata.yaml -r tfo.pcap

Impact
Many OSes however support TFO so these payload in SYN and SYNACK packets should reach applications if TFO is used.

I am attaching the .pcap and the local.rules so you can verify the bug.

Files

Download all files

tfo.pcap (3.52 KB) tfo.pcap		Guillermo Muñoz, 03/10/2020 06:31 PM
suricata.yaml (73.3 KB) suricata.yaml		Guillermo Muñoz, 03/10/2020 06:33 PM
local.rules (170 Bytes) local.rules		Guillermo Muñoz, 03/10/2020 06:33 PM