Non-Deterministic Behavior with HTTPS Checksum Verification
We noticed when running Suricata on an HTTPS pcap with a lot of checksum errors that the output is non-deterministic. After running such a pcap multiple times, we check suricata.log in the output directory and find that many of the runs will output:
“More than 1/10th of packets have an invalid checksum, assuming checksum offloading is used”,
“Less than 1/10th of packets have an invalid checksum, assuming checksum offloading is NOT used”, or “No packets with invalid checksum, assuming checksum offloading is NOT used”.
The logic for this can be found at util-checksum.c:75 in ChecksumAutoModeCheck(). On each run, the value for ‘iface_fail’ varies by quite a bit. The value can be anywhere from 30 to 300.
This affects a feature branch that we are working on. We could just use the “-k none” flag to specify no checksum verification and in turn make the output deterministic, but we figured it’s an interesting issue to be solved.
We tested on master, but this also appears in master-6.0.x.
We run with no changes to any configuration scripts. Install with no additions to autogen, configure, or make. Running on Ubuntu 22.04.
Execute with: src/suricata --set classification-files=etc/classification.config --set reference-config-file=etc/reference.config --init-errors-fatal -r ~/input.pcap -c suricata.yaml --disable-detection -l ~/suricata-output/
Running this several times and checking suricata.log will show differing outputs for each run, despite the same traffic being evaluated. We have provided the pcap file as well as an example of the output after running the above several times.
Can be found in an attachment
No data to display