Project

General

Profile

Actions

Bug #3521

closed

Bypass of Detection Capabilities

Added by Guillermo Muñoz over 4 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Protocol

Description

Dear colleagues,

I have noticed that Suricata signatures (i.e. file provided to Suricata using the -s option) do not detect data located on established connections with TCP Fast Open (TFO) on established connections:

  1. cat /etc/suricata/rules/local.rules
    alert tcp any any -> any any (msg:"WEB-ATTACKS /etc/passwd command attempt"; flow:established; content:"/etc/passwd"; classtype:web-application-attack; sid:1328; rev:6;)
  1. suricata -V
    This is Suricata version 4.1.5 RELEASE
  1. suricata -c /etc/suricata/suricata.yaml -r tfo.pcap

Impact
Many OSes however support TFO so these payload in SYN and SYNACK packets should reach applications if TFO is used.

I am attaching the .pcap and the local.rules so you can verify the bug.


Files

tfo.pcap (3.52 KB) tfo.pcap Guillermo Muñoz, 03/10/2020 06:31 PM
suricata.yaml (73.3 KB) suricata.yaml Guillermo Muñoz, 03/10/2020 06:33 PM
local.rules (170 Bytes) local.rules Guillermo Muñoz, 03/10/2020 06:33 PM
Actions #1

Updated by Victor Julien over 4 years ago

  • Priority changed from Urgent to Normal

Please try Suricata 5.0. TCP fast open support was added in 5.0. (see #1203)

Actions #2

Updated by Guillermo Muñoz over 4 years ago

Victor Julien wrote in #note-1:

Please try Suricata 5.0. TCP fast open support was added in 5.0. (see #1203)

I have successfully reproduced the vulnerability on v5.0.2 (see #3522 )

Actions #3

Updated by Victor Julien over 4 years ago

So are this ticket and #3522 the same issue?

Actions #4

Updated by Guillermo Muñoz over 4 years ago

Victor Julien wrote in #note-3:

So are this ticket and #3522 the same issue?

Yes, you can close this ticket for duplicate.

Actions #5

Updated by Guillermo Muñoz over 4 years ago

Guillermo Muñoz wrote in #note-4:

Victor Julien wrote in #note-3:

So are this ticket and #3522 the same issue?

Yes, you can close this ticket for duplicate.

And leave the ticket #3522 for resolution.

Actions #6

Updated by Jungho Yoon over 4 years ago

Victor Julien wrote in #note-3:

So are this ticket and #3522 the same issue?

#3509 has a similar problem. Please check

Actions #7

Updated by Victor Julien almost 3 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF