Project

General

Profile

Actions
Copy link

Bug #4615

closed

Multiple identical request headers will not be detected by signatures, causing attacks to bypass

Added by Jiacheng Zhong over 2 years ago. Updated over 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
6.0.2
Effort:
Difficulty:
Label:

Description

I write the signature: alert http any any -> any any (msg:"Header Attack";flow:established,to_server;content:"TEST:|20|evil";nocase;http_header;sid:1;rev:1;)
Start suricata listening network card: `suricata -c suricata.yaml -s signatures.rules -i enp0s3`
I send the following request messageļ¼š

The attack was discovered

But when I bypassed the attack through the same request header, Suricata did not detect the attack payload.

This will cause the attack payload to bypass Suricata. Similarly, many exploits passed the attack payload through the HTTP request header. This bypass method will cause a lot of trouble.

Best Regards.

Files

Download all files
clipboard-202108231641-uzpfi.png (12.5 KB) clipboard-202108231641-uzpfi.png Jiacheng Zhong, 08/23/2021 08:41 AM
clipboard-202108231641-z1rcc.png (8.37 KB) clipboard-202108231641-z1rcc.png Jiacheng Zhong, 08/23/2021 08:41 AM
clipboard-202108231643-waczd.png (12.6 KB) clipboard-202108231643-waczd.png Jiacheng Zhong, 08/23/2021 08:43 AM
Actions
Copy link

Also available in: Atom PDF