Project

General

Profile

Actions

Security #7657

closed

tcp: syn resend with different seq leads to detection bypasss

Added by Angelo Mirabella 6 months ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
HIGH
Disclosure Date:

Description

When performing SYN flooding, followed by an HTTP transaction, suricata is not able to detect the application layer protocol, leading to a false negative.

Tested in latest master with default configuration.
Attaching signature (test.rule) and 2 pcaps: syn_flood.pcapng and exploit.pcapng.

The first one contains the SYN flooding + HTTP transaction that should trigger the signature (but it does not trigger).
The second one contains only the HTTP transaction and correctly triggers the signature.


Files

test.rule (1.05 KB) test.rule Angelo Mirabella, 04/11/2025 02:48 PM
exploit.pcapng (2.79 KB) exploit.pcapng Angelo Mirabella, 04/11/2025 02:48 PM
syn_flood.pcapng (4.81 KB) syn_flood.pcapng Angelo Mirabella, 04/11/2025 02:48 PM

Subtasks 1 (0 open1 closed)

Security #7852: tcp: syn resend with different seq leads to detection bypasss (7.0.x backport)ClosedVictor JulienActions
Actions #1

Updated by Angelo Mirabella 3 months ago

Hi, any update on this?

Actions #2

Updated by Victor Julien 3 months ago

  • Subject changed from Suricata is not able to detect the app layer protocol when performing SYN flooding to tcp: syn resend with different seq leads to detection bypasss
  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 8.0.1
  • Private changed from No to Yes

It looks like the generic session reuse logic doesn't handle syn resends, as it is supposed to be handled by the regular logic at the syn_sent state. However, the logic there to handle resends seems to ignore the sequence number (isn), so it's not leading to a correct matching up of the last syn (pkt 24) and the syn/ack that matches it.

Actions #3

Updated by Jason Ish 3 months ago

I do have a scapy reproducer now, does use TCP DNS, but same issue.

Actions #4

Updated by Philippe Antoine 3 months ago

  • Affected Versions 8.0.0 added
  • Affected Versions deleted (git main)
Actions #5

Updated by Victor Julien about 2 months ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
  • Label Needs backport to 7.0 added
Actions #6

Updated by OISF Ticketbot about 2 months ago

  • Subtask #7852 added
Actions #7

Updated by OISF Ticketbot about 2 months ago

  • Label deleted (Needs backport to 7.0)
Actions #8

Updated by Victor Julien about 1 month ago

  • Status changed from Assigned to In Review
Actions #9

Updated by Jason Ish 29 days ago

  • Severity changed from MODERATE to HIGH
Actions #10

Updated by Victor Julien 27 days ago

  • Status changed from In Review to Resolved

https://github.com/OISF/suricata/pull/13817

As part of making this ticket public, the private tests should also be pushed to github.

Actions #11

Updated by Victor Julien 23 days ago

  • Status changed from Resolved to Closed
Actions #12

Updated by Victor Julien 23 days ago

  • CVE set to 2025-59147
Actions #13

Updated by Victor Julien 8 days ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF