Bug #7467
opendetect: checksum detection broken by stream.checksum-validation
Description
Taken from https://forum.suricata.io/t/custom-content-detection/4784/5
As mentioned in the issue, when stream.checksum-validation is set to false, a packet will get the PKT_IGNORE_CHECKSUM flag, bypassing all checksum related rules in detect-csum.c.
We've come across routers stripping TCP options from SYN packets without them properly updating the checksum afterwards. We would like to detect this behavior, while still having these incorrect packets progress to the tcp-reassembler. It doesn't seem like this is currently possible.
Files
Updated by Victor Julien about 12 hours ago
- Subject changed from Checksum detection to detect: checksum detection broken by stream.checksum-validation
- Target version changed from TBD to 8.0.0-beta1
- Label Needs backport to 7.0 added
I agree that this shouldn't happen.
Are you able to craft a SV test for this issue?
Updated by OISF Ticketbot about 12 hours ago
- Label deleted (
Needs backport to 7.0)
Updated by Hans Vermeer about 11 hours ago
- File detect-chksum.tar.gz detect-chksum.tar.gz added
I've attached a test I created with stream.checksum-validation=yes then switching to stream.checksum-validation=no fails the test as attached, is this enough to confirm the bug?