Suricata

Reported by Fratso:

It is possible to bypass/evade tcp based signature on some Linux servers.

For that, you have to send a FIN-SYN-ACK after a 3WHS and a fake SYN with a bad sequence number after the server's ACK answer which allow the attacker to desynchronize the NIDS and send/receive known signatures without being detected.

For this attack, the attacker must control the TCP/IP stack of a client.

Here's an example:

Client === Legit TCP handshake === Server
Client -> [FIN-SYN-ACK] [Seq=1 Ack=2] -> Server # injected (FSA)
Client <- [ACK] [Seq=2 Ack=1] <- Server # legit
Client -> [SYN] [Seq=1234] -> Server # injected (bad seq)
Client -> [PSH-ACK] [Seq=1 Ack=2] SIGNATURE -> Server # undetected
Client <- [ACK] [Seq=x Ack=y] <- Server # legit
Client <- [PSH-ACK] [Seq=x Ack=y] SIGNATURE <- Server # undetected

This evasion has been tested against the following servers on the folowing OS:

Web server	Tested version	OS	Vulnerable?
------------	----------------	--------------	-------------
Nginx	1.21.1	Ubuntu 20.04	Yes
Nginx	1.21.1	Windows 10	No
Apache	2.4.41	Ubuntu 20.04	No
Apache	2.4.41	Windows 10	No
Django	3.1.5	Ubuntu 20.04	Yes
Django	3.1.5	Windows 10	No
Gunicorn	20.0.4	Ubuntu 20.04	Yes
Gunicorn	20.0.4	Windows 10	No
Python3	3.8.5	Ubuntu 20.04	Yes
Python3	3.8.5	Windows 10	No

Apparently, this evasion does not work against Windows 10 and Apache2. However, it does work on some other servers running on Linux only.