Bug #2511
closedSuricata gzip unpacker bypass
Description
Suricata gzip unpacker may be easily bypassed by nested gzip/identity compressions.
I know there is option "response-body-decompress-layer-limit" set to 2 by default, but it is incredebly easy to bypass. Snort IDS does all layers decompression (sorry for comparison).
Example:
HTTP/1.1 200 OK
Content-Encoding: identity, identity, gzip, identity, gzip, gzip
Signatures:
alert http any any -> any any (msg: "RESPONSE UNGZIPPED"; flow: established, from_server; content: "Hi"; http_server_body; nocase; sid: 1; rev: 1; )
alert http any any -> any any (msg: "FROM_SERVER |1F 8B|"; flow: established, from_server; content: "|1F 8B|"; http_server_body; nocase; sid: 2; rev: 1; )
Pcap attached
Expectation: alert sid 1
Reality: alert sid 2
Files
Updated by Andreas Herz over 6 years ago
- Assignee set to OISF Dev
- Target version set to 70
- Private changed from No to Yes
- Effort set to medium
- Difficulty set to medium
thanks for reporting, we will look into that
Updated by Victor Julien over 6 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from 70 to 4.1rc1
I don't think an unlimited setting makes sense, as it would open up a big DoS vector. Normal traffic should not have more than one level on compression.
Currently libhtp raises a warning when the compression goes over the limit. This is not translated into a suricata app-layer-event however, so that is what I'm going to do to address this ticket.
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed