Project

General

Profile

Actions
Copy link

Bug #4615

closed

Multiple identical request headers will not be detected by signatures, causing attacks to bypass

Added by Jiacheng Zhong over 2 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
6.0.2
Effort:
Difficulty:
Label:

Description

I write the signature: alert http any any -> any any (msg:"Header Attack";flow:established,to_server;content:"TEST:|20|evil";nocase;http_header;sid:1;rev:1;)
Start suricata listening network card: `suricata -c suricata.yaml -s signatures.rules -i enp0s3`
I send the following request messageļ¼š

The attack was discovered

But when I bypassed the attack through the same request header, Suricata did not detect the attack payload.

This will cause the attack payload to bypass Suricata. Similarly, many exploits passed the attack payload through the HTTP request header. This bypass method will cause a lot of trouble.

Best Regards.

Files

Download all files
clipboard-202108231641-uzpfi.png (12.5 KB) clipboard-202108231641-uzpfi.png Jiacheng Zhong, 08/23/2021 08:41 AM
clipboard-202108231641-z1rcc.png (8.37 KB) clipboard-202108231641-z1rcc.png Jiacheng Zhong, 08/23/2021 08:41 AM
clipboard-202108231643-waczd.png (12.6 KB) clipboard-202108231643-waczd.png Jiacheng Zhong, 08/23/2021 08:43 AM
Actions
Copy link
 #1

Updated by Jiacheng Zhong over 2 years ago

Hello, I found that my keyword was used incorrectly . This issue can be closed. Thanks :)

Actions
Copy link
 #2

Updated by Jeff Lucovsky over 2 years ago

  • Status changed from New to Closed
  • Target version changed from 6.0.2 to TBD

Closed by request of reporter.

Actions
Copy link
 #4

Updated by Victor Julien over 2 years ago

  • Tracker changed from Security to Bug
  • Status changed from Closed to Rejected
  • Target version deleted (TBD)
  • Severity deleted (MODERATE)
Actions
Copy link

Also available in: Atom PDF