Project

General

Profile

Actions
Copy link

Bug #877

closed

Flowbit check with content doesn't match consistently

Added by Francis Trudeau almost 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
1.4.4
Affected Versions:
Effort:
Difficulty:
Label:

Description

In the following rules:

alert http any any -> any any (msg:"FLOWBIT TEST 0"; content:"POST"; nocase; flowbits:set,testflow; classtype:trojan-activity; sid:303; rev:1;)

alert tcp any any -> any any (msg:"FLOWBIT TEST 1"; content:"|64 70|"; sid:111; rev:1;)

alert tcp any any -> any any (msg:"FLOWBIT TEST 2"; flowbits:isset,testflow; content:"|64|"; sid:222; rev:1;)

alert tcp any any -> any any (msg:"FLOWBIT TEST 3"; flowbits:isset,testflow; content:"|64 70|"; sid:333; rev:1;)

sid 333 does not fire.

Tested with Suricata 1.4.1, 1.4.2, 1.4.3.

Actions
Copy link
 #1

Updated by Anoop Saldanha almost 11 years ago

  • Assignee set to Anoop Saldanha
  • Target version changed from 1.4.3 to 1.4.4
Actions
Copy link
 #2

Updated by Victor Julien almost 11 years ago

Problem appears to be that based on pkt 11 we generate a stream end pseudo packet, that forces raw reassembled buffer inspection into the toserver direction first. At this point the flowbit isn't set yet so 333 doesn't match.

Actions
Copy link
 #3

Updated by Victor Julien almost 11 years ago

I think it is caused by pseudo packet injection that happens too early, probably because at the time we didn't have the flow timeout / flow shutdown pseudo packet injection yet. Thinking we should maybe only inject pseudo pkts when moving to TCP state CLOSED (and then in both directions), and on flow timeouts / flow shutdown.

Actions
Copy link
 #4

Updated by Victor Julien almost 11 years ago

It seems it already works this way, except for when we reach FINWAIT2 state, like in the pcap. Also, on CLOSED we obviously only need one pseudo, in the opposite direction from the actual packet. Exactly as it is now. Testing if we can remove the FINWAIT2 pseudo injection.

Actions
Copy link
 #5

Updated by Victor Julien almost 11 years ago

  • Status changed from New to Assigned
  • Assignee changed from Anoop Saldanha to Victor Julien

QA seems happy, pushing this fix.

Actions
Copy link
 #6

Updated by Victor Julien almost 11 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
  • % Done changed from 0 to 100

Fixed by:

commit 36f04da4405a75e5f26cca4da95ef60378c7e662
Author: Victor Julien <victor@inliniac.net>
Date:   Thu Jul 18 08:02:08 2013 +0200

    Stream: don't inject stream end pseudo pkt on FinWait2 state. Bug #877.

Actions
Copy link
 #7

Updated by Will Metcalf almost 11 years ago

  • File deleted (sanitized2.pcap)
Actions
Copy link

Also available in: Atom PDF