Bug #7657: Suricata is not able to detect the app layer protocol when performing SYN flooding - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #7657

open

Suricata is not able to detect the app layer protocol when performing SYN flooding

Added by Angelo Mirabella 8 days ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

git master

Effort:

Difficulty:

Label:

Description

When performing SYN flooding, followed by an HTTP transaction, suricata is not able to detect the application layer protocol, leading to a false negative.

Tested in latest master with default configuration.
Attaching signature (test.rule) and 2 pcaps: syn_flood.pcapng and exploit.pcapng.

The first one contains the SYN flooding + HTTP transaction that should trigger the signature (but it does not trigger).
The second one contains only the HTTP transaction and correctly triggers the signature.

Files

Download all files

test.rule (1.05 KB) test.rule		Angelo Mirabella, 04/11/2025 02:48 PM
exploit.pcapng (2.79 KB) exploit.pcapng		Angelo Mirabella, 04/11/2025 02:48 PM
syn_flood.pcapng (4.81 KB) syn_flood.pcapng		Angelo Mirabella, 04/11/2025 02:48 PM

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #7657

Suricata is not able to detect the app layer protocol when performing SYN flooding