Project

General

Profile

Actions
Copy link

Bug #877

closed
FT VJ

Flowbit check with content doesn't match consistently

Bug #877: Flowbit check with content doesn't match consistently

Added by Francis Trudeau almost 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
1.4.4
Affected Versions:
Effort:
Difficulty:
Label:

Description

In the following rules:

alert http any any -> any any (msg:"FLOWBIT TEST 0"; content:"POST"; nocase; flowbits:set,testflow; classtype:trojan-activity; sid:303; rev:1;)

alert tcp any any -> any any (msg:"FLOWBIT TEST 1"; content:"|64 70|"; sid:111; rev:1;)

alert tcp any any -> any any (msg:"FLOWBIT TEST 2"; flowbits:isset,testflow; content:"|64|"; sid:222; rev:1;)

alert tcp any any -> any any (msg:"FLOWBIT TEST 3"; flowbits:isset,testflow; content:"|64 70|"; sid:333; rev:1;)

sid 333 does not fire.

Tested with Suricata 1.4.1, 1.4.2, 1.4.3.

AS Updated by Anoop Saldanha almost 13 years ago Actions
Copy link
 #1

  • Assignee set to Anoop Saldanha
  • Target version changed from 1.4.3 to 1.4.4

VJ Updated by Victor Julien almost 13 years ago Actions
Copy link
 #2

Problem appears to be that based on pkt 11 we generate a stream end pseudo packet, that forces raw reassembled buffer inspection into the toserver direction first. At this point the flowbit isn't set yet so 333 doesn't match.

VJ Updated by Victor Julien almost 13 years ago Actions
Copy link
 #3

I think it is caused by pseudo packet injection that happens too early, probably because at the time we didn't have the flow timeout / flow shutdown pseudo packet injection yet. Thinking we should maybe only inject pseudo pkts when moving to TCP state CLOSED (and then in both directions), and on flow timeouts / flow shutdown.

VJ Updated by Victor Julien almost 13 years ago Actions
Copy link
 #4

It seems it already works this way, except for when we reach FINWAIT2 state, like in the pcap. Also, on CLOSED we obviously only need one pseudo, in the opposite direction from the actual packet. Exactly as it is now. Testing if we can remove the FINWAIT2 pseudo injection.

VJ Updated by Victor Julien almost 13 years ago Actions
Copy link
 #5

  • Status changed from New to Assigned
  • Assignee changed from Anoop Saldanha to Victor Julien

QA seems happy, pushing this fix.

VJ Updated by Victor Julien almost 13 years ago Actions
Copy link
 #6

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
  • % Done changed from 0 to 100

Fixed by:

commit 36f04da4405a75e5f26cca4da95ef60378c7e662
Author: Victor Julien <victor@inliniac.net>
Date:   Thu Jul 18 08:02:08 2013 +0200

    Stream: don't inject stream end pseudo pkt on FinWait2 state. Bug #877.

WM Updated by Will Metcalf almost 13 years ago Actions
Copy link
 #7

  • File deleted (sanitized2.pcap)
Actions
Copy link

Also available in: PDF Atom