Security #7657
closedtcp: syn resend with different seq leads to detection bypasss
Description
When performing SYN flooding, followed by an HTTP transaction, suricata is not able to detect the application layer protocol, leading to a false negative.
Tested in latest master with default configuration.
Attaching signature (test.rule) and 2 pcaps: syn_flood.pcapng and exploit.pcapng.
The first one contains the SYN flooding + HTTP transaction that should trigger the signature (but it does not trigger).
The second one contains only the HTTP transaction and correctly triggers the signature.
Files
Updated by Victor Julien 3 months ago
- Subject changed from Suricata is not able to detect the app layer protocol when performing SYN flooding to tcp: syn resend with different seq leads to detection bypasss
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 8.0.1
- Private changed from No to Yes
It looks like the generic session reuse logic doesn't handle syn resends, as it is supposed to be handled by the regular logic at the syn_sent state. However, the logic there to handle resends seems to ignore the sequence number (isn), so it's not leading to a correct matching up of the last syn (pkt 24) and the syn/ack that matches it.
Updated by Philippe Antoine 3 months ago
- Affected Versions 8.0.0 added
- Affected Versions deleted (
git main)
Updated by Victor Julien about 2 months ago
- Tracker changed from Bug to Security
- Severity set to MODERATE
- Label Needs backport to 7.0 added
Updated by OISF Ticketbot about 2 months ago
- Label deleted (
Needs backport to 7.0)
Updated by Victor Julien about 1 month ago
- Status changed from Assigned to In Review
Updated by Victor Julien 27 days ago
- Status changed from In Review to Resolved
https://github.com/OISF/suricata/pull/13817
As part of making this ticket public, the private tests should also be pushed to github.