Project

General

Profile

Actions

Bug #5451

open

Non-Deterministic Behavior with HTTPS Checksum Verification

Added by Kyle Griffin 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
medium
Label:

Description

Context
We noticed when running Suricata on an HTTPS pcap with a lot of checksum errors that the output is non-deterministic. After running such a pcap multiple times, we check suricata.log in the output directory and find that many of the runs will output:
“More than 1/10th of packets have an invalid checksum, assuming checksum offloading is used”,
“Less than 1/10th of packets have an invalid checksum, assuming checksum offloading is NOT used”, or “No packets with invalid checksum, assuming checksum offloading is NOT used”.
The logic for this can be found at util-checksum.c:75 in ChecksumAutoModeCheck(). On each run, the value for ‘iface_fail’ varies by quite a bit. The value can be anywhere from 30 to 300.
This affects a feature branch that we are working on. We could just use the “-k none” flag to specify no checksum verification and in turn make the output deterministic, but we figured it’s an interesting issue to be solved.

Affected Versions
We tested on master, but this also appears in master-6.0.x.

Recreation
We run with no changes to any configuration scripts. Install with no additions to autogen, configure, or make. Running on Ubuntu 22.04.
Execute with: src/suricata --set classification-files=etc/classification.config --set reference-config-file=etc/reference.config --init-errors-fatal -r ~/input.pcap -c suricata.yaml --disable-detection -l ~/suricata-output/
Running this several times and checking suricata.log will show differing outputs for each run, despite the same traffic being evaluated. We have provided the pcap file as well as an example of the output after running the above several times.

Build-info
Can be found in an attachment


Files

suricata.log (33.4 KB) suricata.log suricata.log from input.pcap Kyle Griffin, 07/22/2022 03:41 PM
stats.log (42.1 KB) stats.log stats.log from input.pcap Kyle Griffin, 07/22/2022 03:41 PM
fast.log (0 Bytes) fast.log fast.log from input.pcap Kyle Griffin, 07/22/2022 03:41 PM
eve.json (289 KB) eve.json eve.json from input.pcap Kyle Griffin, 07/22/2022 03:41 PM
input.pcap (6.99 MB) input.pcap HTTPS pcap file with checksum errors Kyle Griffin, 07/22/2022 03:42 PM
suricata-build-info.txt (3.75 KB) suricata-build-info.txt "suricata --build-info" output Kyle Griffin, 07/22/2022 03:45 PM

No data to display

Actions

Also available in: Atom PDF