Security #2501: Suricata stops inspecting TCP stream if a TCP RST was met - Suricata - Open Information Security Foundation

Actions

Security #2501

closed

Suricata stops inspecting TCP stream if a TCP RST was met

Added by ajaxtpm ajaxtpm over 6 years ago. Updated about 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

Label:

CVE:

Git IDs:

843d0b7a10bb45627f94764a6c5d468a24143345

Severity:

Disclosure Date:

Description

Windows clients are able to process TCP data even if they arrived shortly after TCP RST packet so the current behaviour is logical but open door for IDS bypasses
PoC pcap attached.
The following signatures should alert on HTTP request and answer:

alert tcp any any -> any any (msg: "TCP BEEN NO_STREAM RULE"; flow: no_stream; content: "been"; sid: 1; )
alert tcp any any -> any any (msg: "TCP BEEN ONLY_STREAM RULE"; flow: only_stream; content: "been"; sid: 2; )
alert http any any -> any any (msg: "HTTP BEEN RULE"; content: "been"; sid: 3; )
alert tcp any any -> any any (msg: "TCP GET NO_STREAM RULE"; flow: no_stream; content: "GET"; sid: 4; )
alert tcp any any -> any any (msg: "TCP GET ONLY_STREAM RULE"; flow: only_stream; content: "GET"; sid: 5; )
alert http any any -> any any (msg: "HTTP GET RULE"; content: "GET"; sid: 6; )

but only sid 1 and 4 alerts.

Files

rst_server.pcap (1.32 KB) rst_server.pcap

PoC pcap

ajaxtpm ajaxtpm, 05/03/2018 02:20 PM

Actions

#1

Updated by Andreas Herz over 6 years ago

Assignee set to OISF Dev
Private changed from No to Yes

Setting it to private due to bypass issue unless Victor thinks it's not that bad :)

Thanks for reporting with a .pcap attached

Actions

#2

Updated by ajaxtpm ajaxtpm over 6 years ago

Hi Andreas,

Any news on that?

Actions

#3

Updated by Victor Julien over 6 years ago

Status changed from New to Assigned
Assignee changed from OISF Dev to Victor Julien

Actions

#4

Updated by Peter Manev over 6 years ago

Out of curiosity - from your tests/observations - is that with any windows client OS or specific to a windows OS version?

Actions

#5

Updated by ajaxtpm ajaxtpm over 6 years ago

Peter Manev wrote:

Out of curiosity - from your tests/observations - is that with any windows client OS or specific to a windows OS version?

Hi Peter,

Windows 7/8/10 behave the same. I think it works with any windows OS

Actions

#6

Updated by ajaxtpm ajaxtpm over 6 years ago

Hi guys, do you have any updates on it ?

Actions

#7

Updated by Andreas Herz over 6 years ago

We're still working on that, sorry :/

Actions

#8

Updated by Victor Julien over 6 years ago

Target version changed from 4.1beta1 to 4.1rc1

Actions

#9

Updated by Victor Julien over 6 years ago

Status changed from Assigned to Closed
Private changed from Yes to No

https://github.com/OISF/suricata/pull/3428/commits/843d0b7a10bb45627f94764a6c5d468a24143345

Actions

#10

Updated by Victor Julien about 4 years ago

Tracker changed from Bug to Security
CVE set to 2018-14568
Git IDs updated (diff)

Actions

Also available in: Atom PDF