Project

General

Profile

Actions

Bug #3518

closed

Bypass of Payload detection on TCP Teardown

Added by Guillermo Muñoz over 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

While configuring Suricata on inline mode with established tcp connections, it is possible to bypass its detection by sending the custom payload before closing the connection on the TCP teardown.
  1. cat /etc/suricata/rules/local.rules
    alert tcp any any -> any any (msg:"WEB ATTACKS /etc/passwd command attempt"; flow:established; content:"/etc/passwd";classtype:web-application-attack;sid:1328;rev:6;)
  1. suricata -c /etc/suricata/suricata.yaml -i eth0

Client Server
SYN SYN,ACK
ACK

FIN,ACK FIN,ACK
ACK, packet with content "/etc/passwd"
ACK RST

I consider this a bug because Suricata triggers the alert on receiving the same content in the same scenario but specifying the rest of the flags. Moreover, SNORT configured with the same settings and scenario triggers an alert.


Files

Screen Shot 2020-03-08 at 18.37.47.png (253 KB) Screen Shot 2020-03-08 at 18.37.47.png Guillermo Muñoz, 03/08/2020 05:39 PM
Screen Shot 2020-03-08 at 18.38.43.png (255 KB) Screen Shot 2020-03-08 at 18.38.43.png Guillermo Muñoz, 03/08/2020 05:39 PM
Screen Shot 2020-03-08 at 18.28.03.png (138 KB) Screen Shot 2020-03-08 at 18.28.03.png Guillermo Muñoz, 03/08/2020 05:39 PM
Screen Shot 2020-03-08 at 18.42.13.png (144 KB) Screen Shot 2020-03-08 at 18.42.13.png Guillermo Muñoz, 03/08/2020 05:44 PM
Screen Shot 2020-03-08 at 18.42.43.png (258 KB) Screen Shot 2020-03-08 at 18.42.43.png Guillermo Muñoz, 03/08/2020 05:44 PM
Screen Shot 2020-03-08 at 18.43.35.png (13.8 KB) Screen Shot 2020-03-08 at 18.43.35.png Guillermo Muñoz, 03/08/2020 05:44 PM
suricata-issue.pcapng (1.1 KB) suricata-issue.pcapng Guillermo Muñoz, 03/08/2020 05:47 PM

Updated by Guillermo Muñoz over 4 years ago

I am attaching the .pcap as well as three more clear screenshots. Please replace the file "Screen Shot 2020-03-08 at 18.28.03.png" with "Screen Shot 2020-03-08 at 18.42.13.png". i also attach a capture of the traffic.

Actions #2

Updated by Guillermo Muñoz over 4 years ago

I have verified that if we send the last ACK of the teardown and we attempt to send the custom payload, suricata is working well and triggering the alert thus confirming the bug exists.

Actions #3

Updated by Victor Julien over 4 years ago

Can you test about the recent version (4.1.7/5.0.2)? We're often fixing issues so please always report against the latest stable version.

Actions #4

Updated by Victor Julien over 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien

The pcap is rejected by (somewhat) recent versions of libpcap:

[9397] 20/3/2020 -- 09:22:37 - (source-pcap-file-helper.c:202) <Error> (InitPcapFile) -- [ERRCODE: SC_ERR_FOPEN(44)] - invalid interface capture length 524288, bigger than maximum of 262144

I fixed that up

tshark -F pcap -r suricata-issue.pcapng -w input.pcap

And then the pcap is processed and the alert is generated:

[9534] 20/3/2020 -- 09:24:16 - (tm-threads.c:2010) <Notice> (TmThreadWaitOnThreadInit) -- all 5 packet processing threads, 4 management threads initialized, engine started.
[9535] 20/3/2020 -- 09:24:16 - (source-pcap-file.c:175) <Info> (ReceivePcapFileLoop) -- Starting file run for /home/victor/sync/devel/suricata-verify/tests/issue-3518/input.pcap
[9535] 20/3/2020 -- 09:24:16 - (source-pcap-file-helper.c:157) <Info> (PcapFileDispatch) -- pcap file /home/victor/sync/devel/suricata-verify/tests/issue-3518/input.pcap end of file reached (pcap err code 0)
[9534] 20/3/2020 -- 09:24:16 - (suricata.c:2908) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
[9534] 20/3/2020 -- 09:24:16 - (suricata.c:1088) <Info> (SCPrintElapsedTime) -- time elapsed 0.061s
[9535] 20/3/2020 -- 09:24:16 - (source-pcap-file.c:376) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 8 packets, 461 bytes
[9534] 20/3/2020 -- 09:24:16 - (counters.c:853) <Info> (StatsLogSummary) -- Alerts: 1

Alert:

{
  "timestamp": "2020-03-08T18:41:44.423065+0100",
  "flow_id": 1481204001436825,
  "event_type": "alert",
  "src_ip": "192.168.210.1",
  "src_port": 63035,
  "dest_ip": "192.168.210.141",
  "dest_port": 80,
  "proto": "TCP",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 1328,
    "rev": 6,
    "signature": "WEB ATTACKS /etc/passwd command attempt",
    "category": "Web Application Attack",
    "severity": 1
  },
  "flow": {
    "pkts_toserver": 5,
    "pkts_toclient": 3,
    "bytes_toserver": 281,
    "bytes_toclient": 180,
    "start": "2020-03-08T18:41:44.423065+0100" 
  }
}

Am I missing something?

Actions #5

Updated by Victor Julien about 3 years ago

  • Status changed from Assigned to Closed
  • Assignee deleted (Victor Julien)
Actions

Also available in: Atom PDF