Actions
Bug #5076
openkeyword content does not work over reassembled TCP
Affected Versions:
Effort:
Difficulty:
Label:
Description
Using rulealert ip any any -> any any (content:"HTTP/2.loc"; sid:11;)
on attached pcap
with stream.reassembly.toserver-chunk-size=25
does not trigger an alert
It does trigger the alert without the setting.
I fear we might have an evasion if I split the packets over the default value of 2560...
Updated by Philippe Antoine over 2 years ago
This was found during investigation of #4858
Updated by Jeff Lucovsky over 2 years ago
- Copied to Bug #5110: keyword content does not work over reassembled TCP (6.0.x backport) added
Updated by Jeff Lucovsky over 2 years ago
- Copied to Bug #5111: keyword content does not work over reassembled TCP (5.0.x backport) added
Updated by Philippe Antoine over 2 years ago
From talk with Victor, this is a known limitation, where the chunk size is supposed to be a bit random to protect against evasion attempts.
The solution may be to use hyperscan as a streaming engine (instead of running it on different chunks/blocks)
Updated by Philippe Antoine over 2 years ago
- Related to Documentation #2470: document content inspection in chunks added
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Updated by Philippe Antoine almost 2 years ago
- Related to Task #4431: libsuricata: Example showing libsuricata as a replacement for libnids (network grep) added
Updated by Philippe Antoine 5 months ago
I think this one can be postponed after 8
Actions