Project

General

Profile

Actions

Security #6866

closed

eve: excessive ssh long banner logging

Added by Victor Julien 9 months ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
HIGH
Disclosure Date:
02/19/2024

Description

Found by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64345&q=label%3AProj-suricata&can=2

Fuzz target triggers the following rule
alert tcp any any -> any any (msg:"SURICATA STREAM ESTABLISHED packet out of window"; stream-event:est_packet_out_of_window; classtype:protocol-command-decode; sid:2210020; rev:2;)
on many packets leading to most time spent in jsonbuild set_string_from_bytes (doing escaping on binary buffer) for dummy overlong ssh software version


Files

sshlong.pcap (552 KB) sshlong.pcap Philippe Antoine, 02/12/2024 12:05 PM

Subtasks 2 (0 open2 closed)

Security #6867: eve: excessive ssh long banner logging (6.0.x backport)ClosedPhilippe AntoineActions
Security #6868: eve: excessive ssh long banner logging (7.0.x backport)ClosedPhilippe AntoineActions
Actions #2

Updated by OISF Ticketbot 9 months ago

  • Subtask #6867 added
Actions #3

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 6.0)
Actions #4

Updated by OISF Ticketbot 9 months ago

  • Subtask #6868 added
Actions #5

Updated by OISF Ticketbot 9 months ago

  • Label deleted (Needs backport to 7.0)
Actions #6

Updated by Philippe Antoine 9 months ago

Why is this marked as resolved ?

Actions #7

Updated by Victor Julien 9 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF