Actions
Bug #3521
closedBypass of Detection Capabilities
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Protocol
Description
Dear colleagues,
I have noticed that Suricata signatures (i.e. file provided to Suricata using the -s option) do not detect data located on established connections with TCP Fast Open (TFO) on established connections:
- cat /etc/suricata/rules/local.rules
alert tcp any any -> any any (msg:"WEB-ATTACKS /etc/passwd command attempt"; flow:established; content:"/etc/passwd"; classtype:web-application-attack; sid:1328; rev:6;)
- suricata -V
This is Suricata version 4.1.5 RELEASE
- suricata -c /etc/suricata/suricata.yaml -r tfo.pcap
Impact
Many OSes however support TFO so these payload in SYN and SYNACK packets should reach applications if TFO is used.
I am attaching the .pcap and the local.rules so you can verify the bug.
Files
Updated by Victor Julien almost 5 years ago
- Priority changed from Urgent to Normal
Please try Suricata 5.0. TCP fast open support was added in 5.0. (see #1203)
Updated by Guillermo Muñoz almost 5 years ago
Updated by Victor Julien almost 5 years ago
So are this ticket and #3522 the same issue?
Updated by Guillermo Muñoz almost 5 years ago
Updated by Guillermo Muñoz almost 5 years ago
Updated by Jungho Yoon almost 5 years ago
Actions