Project

General

Profile

Actions

Bug #3521

closed

Bypass of Detection Capabilities

Added by Guillermo Muñoz almost 5 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Protocol

Description

Dear colleagues,

I have noticed that Suricata signatures (i.e. file provided to Suricata using the -s option) do not detect data located on established connections with TCP Fast Open (TFO) on established connections:

  1. cat /etc/suricata/rules/local.rules
    alert tcp any any -> any any (msg:"WEB-ATTACKS /etc/passwd command attempt"; flow:established; content:"/etc/passwd"; classtype:web-application-attack; sid:1328; rev:6;)
  1. suricata -V
    This is Suricata version 4.1.5 RELEASE
  1. suricata -c /etc/suricata/suricata.yaml -r tfo.pcap

Impact
Many OSes however support TFO so these payload in SYN and SYNACK packets should reach applications if TFO is used.

I am attaching the .pcap and the local.rules so you can verify the bug.


Files

tfo.pcap (3.52 KB) tfo.pcap Guillermo Muñoz, 03/10/2020 06:31 PM
suricata.yaml (73.3 KB) suricata.yaml Guillermo Muñoz, 03/10/2020 06:33 PM
local.rules (170 Bytes) local.rules Guillermo Muñoz, 03/10/2020 06:33 PM
Actions

Also available in: Atom PDF