Bug #7467
closeddetect: checksum detection broken by stream.checksum-validation
Description
Taken from https://forum.suricata.io/t/custom-content-detection/4784/5
As mentioned in the issue, when stream.checksum-validation is set to false, a packet will get the PKT_IGNORE_CHECKSUM flag, bypassing all checksum related rules in detect-csum.c.
We've come across routers stripping TCP options from SYN packets without them properly updating the checksum afterwards. We would like to detect this behavior, while still having these incorrect packets progress to the tcp-reassembler. It doesn't seem like this is currently possible.
Files
VJ Updated by Victor Julien over 1 year ago
- Subject changed from Checksum detection to detect: checksum detection broken by stream.checksum-validation
- Target version changed from TBD to 8.0.0-beta1
- Label Needs backport to 7.0 added
I agree that this shouldn't happen.
Are you able to craft a SV test for this issue?
OT Updated by OISF Ticketbot over 1 year ago
- Subtask #7468 added
OT Updated by OISF Ticketbot over 1 year ago
- Label deleted (
Needs backport to 7.0)
HV Updated by Hans Vermeer over 1 year ago
- File detect-chksum.tar.gz detect-chksum.tar.gz added
I've attached a test I created with stream.checksum-validation=yes then switching to stream.checksum-validation=no fails the test as attached, is this enough to confirm the bug?
JL Updated by Jeff Lucovsky about 1 year ago
- Assignee changed from OISF Dev to Jeff Lucovsky
JL Updated by Jeff Lucovsky about 1 year ago
- Status changed from New to In Review
JL Updated by Jeff Lucovsky about 1 year ago
- Status changed from In Review to Resolved
JI Updated by Jason Ish about 1 year ago
- Status changed from Resolved to Closed