Security #6299: mqtt pcap with anomalies takes too long to process because of app-layer-event detection - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community

Actions

Copy link

Security #6299

closed

mqtt pcap with anomalies takes too long to process because of app-layer-event detection

Added by Philippe Antoine about 1 year ago. Updated 9 months ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

8.0.0-beta1

Affected Versions:

Label:

CVE:

Git IDs:

9240ae250cc369306803740279df2ab3eca6b54a
5bb8800588e7b4a09e1770f049cd88be71e2d30b
2fb50598f23b112f14ec15330e11c40b74caa35f
89936b6530690c6d03869b2ad8b82f9f84776f94

Severity:

CRITICAL

Disclosure Date:

12/25/2023

Description

Cf time ./src/suricata -r .lol.pcap -c suricata.yaml -S rules/mqtt-events.rules -l log -k none

Analysis :
- About 1000 MQTT transactions are created and not completed from client to server (with an anomaly unintroduced message)
- Server sends many packets with a 2 bytes of payload
- Client finally ACKS these packets, which create many transactions, with anomalies, and also triggering the MQTT transactions flush mechanism

Some possible solutions ?
- Decreasing yaml mqtt.max-tx to 64 decreases the time from one minute to 6 seconds
- DetectRunTx should not inspect the transactions that have not been modified by the current packet

Victor, thoughts about this ?

Files

Download all files

lol.pcap (1.43 MB) lol.pcap		Philippe Antoine, 09/07/2023 08:10 AM
httpslow.pcap (1.35 MB) httpslow.pcap		Philippe Antoine, 09/18/2023 11:26 AM

Subtasks 1 (0 open — 1 closed)

Security #6539: mqtt pcap with anomalies takes too long to process (7.0.x backport)

Closed

Philippe Antoine

Actions

Related issues 3 (0 open — 3 closed)

Related to Suricata - Security #5921: http1: configurable limit for maximum number of live transactions per flow	Closed	Philippe Antoine	Actions
Related to Suricata - Optimization #4749: app-layer: track changed txs for detect and logging	Closed		Actions
Related to Suricata - Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...)	Closed	Philippe Antoine	Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Philippe Antoine about 1 year ago

Could keyword app-layer-event support prefilter ?

Actions

Copy link

Updated by Philippe Antoine about 1 year ago

Status changed from New to In Review
Target version changed from 7.0.2 to 7.0.1

https://github.com/OISF/suricata/pull/9456 fixes the main case

Actions

Copy link

Updated by Philippe Antoine about 1 year ago

Found by QuadFuzz for reference

Actions

Copy link

Updated by Victor Julien about 1 year ago

Assignee changed from Victor Julien to Philippe Antoine

Actions

Copy link

Updated by Victor Julien about 1 year ago

Target version changed from 7.0.1 to 7.0.2

Actions

Copy link

Updated by Philippe Antoine about 1 year ago

Looks like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62416 is another variant found by oss-fuzz,
No MQTT, but HTTP, still using app-layer-event. keyword in signatures and spending much time qsort in DetectRunTx

Actions

Copy link

Updated by Philippe Antoine about 1 year ago

Related to Security #5921: http1: configurable limit for maximum number of live transactions per flow added

Actions

Copy link

Updated by Philippe Antoine about 1 year ago

So, diagnostic is
- create and make live many transaction for one flow (there is no limit for HTTP1 per #5921)
- use multiple rules with app-layer-event keyword (may work with others) but there is no pre filtering beyond the app-layer protocol

So, for each packet, we run DetectRunTx which runs for each transaction
As there is no prefilter, we merge 'state' rules from the regular prefilter
Then, we merge stored state into results, which is a duplicate of the signatures with the flags set (pointer set integer 0)

Problems :
- no limit or too big for the number of transaction per live flow
- we use qsort instead of merging two sorted lists when we merge 'state' rules from the regular prefilter (when quicksort may be at its quadratic worst-case implementation as the list is about already sorted)
- we store a state with flags set to 0 for these app-layer events, leading to duplicate signatures`

@Victor Julien I wonder what you think about this

Actions

Copy link

Updated by Philippe Antoine about 1 year ago

File httpslow.pcap httpslow.pcap added

oss-fuzz reproducer with time ./src/suricata -r httpslow.pcap -c suricata.yaml -k none --set runmode=single -S rules/http-events.rules

Actions

Copy link

#10

Updated by Philippe Antoine about 1 year ago

Summing up the subtasks :
- merge sorted lists instead of using qsort
- do not store state with flags set to 0
- do not run detection if nothing has been updated (need to investigate the QA diff for SMTP halved transactions)
- MQTT should only raise event UnintroducedMessage once per flow, and maybe not if it was picked up midstream
- MQTT should reuse an exiting transaction for this event instead of creating a new empty one just for this purpose
- limit the number of live HTTP1 transactions tracked in #5921

Actions

Copy link

#11

Updated by Victor Julien about 1 year ago

Target version changed from 7.0.2 to 7.0.3

Actions

Copy link

#12

Updated by Philippe Antoine about 1 year ago

Related to Optimization #4749: app-layer: track changed txs for detect and logging added

Actions

Copy link

#13

Updated by Victor Julien about 1 year ago

Target version changed from 7.0.3 to 8.0.0-beta1

Actions

Copy link

#14

Updated by Victor Julien about 1 year ago

Label Needs backport to 7.0 added

Actions

Copy link

#15

Updated by OISF Ticketbot about 1 year ago

Subtask #6539 added

Actions

Copy link

#16

Updated by OISF Ticketbot about 1 year ago

Label deleted (~~Needs backport to 7.0~~)

Actions

Copy link

#17

Updated by Philippe Antoine 11 months ago

Disclosure Date set to 12/25/2023

Actions

Copy link

#18

Updated by Philippe Antoine 11 months ago

Subject changed from mqtt pcap with anomalies takes too long to process to mqtt pcap with anomalies takes too long to process because of app-layer-event detection

Actions

Copy link

#19

Updated by Victor Julien 11 months ago

Severity changed from MODERATE to CRITICAL

Severe slowdown, so CRITICAL.

Actions

Copy link

#21

Updated by Philippe Antoine 10 months ago

After the merge of https://github.com/OISF/suricata/pull/10160, I wonder if there is one more subticket to do :

Is there a way that app-layer-event keyword is evaluated only once per transaction ? And not 50 times if there are 50 rules for 50 different app-layer events...
I wonder especially in the simple case when there is no event. Could we have a prefilter-ish mechanism saying that none of these signatures will match on the transaction in its current state ?

Actions

Copy link

#22