Bug #7467
closeddetect: checksum detection broken by stream.checksum-validation
Description
Taken from https://forum.suricata.io/t/custom-content-detection/4784/5
As mentioned in the issue, when stream.checksum-validation is set to false, a packet will get the PKT_IGNORE_CHECKSUM flag, bypassing all checksum related rules in detect-csum.c.
We've come across routers stripping TCP options from SYN packets without them properly updating the checksum afterwards. We would like to detect this behavior, while still having these incorrect packets progress to the tcp-reassembler. It doesn't seem like this is currently possible.
Files
Updated by Victor Julien 2 months ago
- Subject changed from Checksum detection to detect: checksum detection broken by stream.checksum-validation
- Target version changed from TBD to 8.0.0-beta1
- Label Needs backport to 7.0 added
I agree that this shouldn't happen.
Are you able to craft a SV test for this issue?
Updated by Hans Vermeer 2 months ago
- File detect-chksum.tar.gz detect-chksum.tar.gz added
I've attached a test I created with stream.checksum-validation=yes then switching to stream.checksum-validation=no fails the test as attached, is this enough to confirm the bug?
Updated by Jeff Lucovsky about 1 month ago
- Assignee changed from OISF Dev to Jeff Lucovsky
Updated by Jeff Lucovsky about 1 month ago
- Status changed from New to In Review
Updated by Jeff Lucovsky 21 days ago
- Status changed from In Review to Resolved