Bug #508
closedSuricata FN on http_header or http_user_agent
Description
Hi,
ok start a wget http request :
wget --user-agent="Mozilla\";" http://x.y.com
(results are User-Agent: Mozilla"; )
Joigned a pcap file.
1) ok create a very simple sig, Suricata fire:
... flow:to_server,established; content:"\"\;"; ...
2) another sig but Suricata not fire, why?
... flow:to_server,established; content:"\"\;"; http_header; ...
3) another sig but Suricata not fire, why?
... flow:to_server,established; content:"\"\;"; http_user_agent; ...
Same pb when replace " to |22|
or ; to |3b|.
Of course Snort fire every times.
Regards
Rmkml
Files
Updated by Anoop Saldanha over 12 years ago
Have attached the patch.
The issue is not FN on http_user_agent or http_header, but reassembly not happening since we didn't accept a particular combination of tcp flags, which in your case was (ack | push | cwr).
My solution patches it for your pcap, but there should be many more such flag combinations which should make evasion easy.
Btw, this issue isn't new for us. I had mailed on this last year, but we somehow forgot to fix it. Thanks rmkml.
Updated by Anoop Saldanha over 12 years ago
- File 0001-bug-508-List-ack-cwr-ecn-combination-to-be-accepted-.patch 0001-bug-508-List-ack-cwr-ecn-combination-to-be-accepted-.patch added
oops. Forgot to attach my patch. Here you go
Updated by Victor Julien about 12 years ago
- Status changed from New to Closed
- Target version set to 1.3.1
- % Done changed from 0 to 100
Applied, thanks Anoop.