Bug #877
closed
Flowbit check with content doesn't match consistently
Added by Francis Trudeau over 11 years ago.
Updated over 11 years ago.
Description
In the following rules:
alert http any any -> any any (msg:"FLOWBIT TEST 0"; content:"POST"; nocase; flowbits:set,testflow; classtype:trojan-activity; sid:303; rev:1;)
alert tcp any any -> any any (msg:"FLOWBIT TEST 1"; content:"|64 70|"; sid:111; rev:1;)
alert tcp any any -> any any (msg:"FLOWBIT TEST 2"; flowbits:isset,testflow; content:"|64|"; sid:222; rev:1;)
alert tcp any any -> any any (msg:"FLOWBIT TEST 3"; flowbits:isset,testflow; content:"|64 70|"; sid:333; rev:1;)
sid 333 does not fire.
Tested with Suricata 1.4.1, 1.4.2, 1.4.3.
- Assignee set to Anoop Saldanha
- Target version changed from 1.4.3 to 1.4.4
Problem appears to be that based on pkt 11 we generate a stream end pseudo packet, that forces raw reassembled buffer inspection into the toserver direction first. At this point the flowbit isn't set yet so 333 doesn't match.
I think it is caused by pseudo packet injection that happens too early, probably because at the time we didn't have the flow timeout / flow shutdown pseudo packet injection yet. Thinking we should maybe only inject pseudo pkts when moving to TCP state CLOSED (and then in both directions), and on flow timeouts / flow shutdown.
It seems it already works this way, except for when we reach FINWAIT2 state, like in the pcap. Also, on CLOSED we obviously only need one pseudo, in the opposite direction from the actual packet. Exactly as it is now. Testing if we can remove the FINWAIT2 pseudo injection.
- Status changed from New to Assigned
- Assignee changed from Anoop Saldanha to Victor Julien
QA seems happy, pushing this fix.
- Status changed from Assigned to Closed
- Priority changed from High to Normal
- % Done changed from 0 to 100
Fixed by:
commit 36f04da4405a75e5f26cca4da95ef60378c7e662
Author: Victor Julien <victor@inliniac.net>
Date: Thu Jul 18 08:02:08 2013 +0200
Stream: don't inject stream end pseudo pkt on FinWait2 state. Bug #877.
- File deleted (
sanitized2.pcap)
Also available in: Atom
PDF