Project

General

Profile

Actions
Copy link

Bug #6087

closed

FTP bounce detection doesn't work for big-endian platforms

Added by Cole Dishington 11 months ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Cole Dishington
Target version:
7.0.0-rc2
Affected Versions:
7.0.0-rc1
Effort:
Difficulty:
low
Label:

Description

FTP bounce detection has false positives and false negatives on platforms where host byte order is the same as network byte order. An example of this behavior can be triggered with the traffic attached pcap, which is also used in the suricata-verify test. The traffic contains the following:
  • A valid active FTP control transaction setting up the data port.
  • A active FTP control transaction setting up an FTP bounce attack.
    On big-endian platforms both flows will be detected as an FTP bounce attack. I tested this on x86_64 and mips64 platforms.

Files

test.pcap (2.63 KB) test.pcap Cole Dishington, 05/25/2023 03:57 AM

Subtasks 1 (0 open1 closed)

Bug #6174: FTP bounce detection doesn't work for big-endian platforms (6.0.x backport)ClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Victor Julien 11 months ago

  • Status changed from New to In Review
Actions
Copy link
 #2

Updated by Victor Julien 11 months ago

  • Priority changed from Normal to Low
Actions
Copy link
 #3

Updated by Victor Julien 11 months ago

  • Label deleted (Needs Suricata-Verify test)
Actions
Copy link
 #4

Updated by Victor Julien 11 months ago

  • Status changed from In Review to Resolved
  • Priority changed from Low to Normal
  • Label Needs backport to 6.0 added
Actions
Copy link
 #5

Updated by Shivani Bhardwaj 10 months ago

  • Label deleted (C, Needs backport to 6.0)
Actions
Copy link
 #6

Updated by Shivani Bhardwaj 10 months ago

  • Subtask #6174 added
Actions
Copy link
 #7

Updated by Victor Julien 10 months ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF