Actions
Bug #7019
closedsnmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4
Affected Versions:
Effort:
Difficulty:
Label:
Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust
Description
Found with https://github.com/OISF/suricata/pull/11062
This would allow protocol detection evasion on TCP by splitting the PDU into a first small slice and the rest once the first packet is packed
There may be other protocols to check.
Updated by Philippe Antoine about 1 year ago
- Subject changed from snmp: robin parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4 to snmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4
Updated by Philippe Antoine about 1 year ago
- Label Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust added
Easy fix, hard thing is to craft a pcap for testing
Updated by Philippe Antoine 11 months ago
I think this one can be postponed after 8
Updated by Victor Julien 3 months ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Updated by Philippe Antoine 8 days ago
- Status changed from New to In Review
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Philippe Antoine 7 days ago
- Status changed from In Review to Resolved
- Label Needs backport to 7.0 added
Actions