Actions
Bug #5437
closed'unseen' http midstream packets with TCP FIN flag set
Affected Versions:
Effort:
Difficulty:
Label:
Description
This was raised by a discussion on our Discord server.
Two users reached out because Suri seemed to be randomly omitting payloads from some of the alerts.
Apparently, this is happening because some HTTP midstream packets are not seen by Suri, even if we have stream.midstream=true.
Wireshark is able to properly tag such traffic as HTTP.
This also leads to Suri not logging associated payload to some alert events in the eve-log, as it doesn't recognize the stream as HTTP.
The rule used by them to generate the alerts was:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mirai"; flow:to_server,established; content:"User-Agent|3A| Hello, world"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service HTTP; reference:url,www.virustotal.com/en/file/ 3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d/analysis/; classtype:trojan-activity; sid:58992; rev:1;)
Files
Updated by Juliana Fajardini Reichow over 2 years ago
- Description updated (diff)
Updated by Juliana Fajardini Reichow over 2 years ago
SV test demonstrating the issue: https://github.com/OISF/suricata-verify/pull/877
Updated by Philippe Antoine about 2 years ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
- Target version deleted (
TBD)
Updated by Philippe Antoine about 2 years ago
- Subject changed from 'unseen' http midstream packets to 'unseen' http midstream packets with TCP FIN flag set
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 7.0.0-rc2
Updated by Victor Julien almost 2 years ago
- Status changed from In Review to Closed
Actions