Project

General

Profile

Actions
Copy link

Bug #6087

closed

FTP bounce detection doesn't work for big-endian platforms

Added by Cole Dishington over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Cole Dishington
Target version:
7.0.0-rc2
Affected Versions:
7.0.0-rc1
Effort:
Difficulty:
low
Label:

Description

FTP bounce detection has false positives and false negatives on platforms where host byte order is the same as network byte order. An example of this behavior can be triggered with the traffic attached pcap, which is also used in the suricata-verify test. The traffic contains the following:
  • A valid active FTP control transaction setting up the data port.
  • A active FTP control transaction setting up an FTP bounce attack.
    On big-endian platforms both flows will be detected as an FTP bounce attack. I tested this on x86_64 and mips64 platforms.

Files

test.pcap (2.63 KB) test.pcap Cole Dishington, 05/25/2023 03:57 AM

Subtasks 1 (0 open1 closed)

Bug #6174: FTP bounce detection doesn't work for big-endian platforms (6.0.x backport)ClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Victor Julien over 1 year ago

  • Status changed from New to In Review
Actions
Copy link
 #2

Updated by Victor Julien over 1 year ago

  • Priority changed from Normal to Low
Actions
Copy link
 #3

Updated by Victor Julien over 1 year ago

  • Label deleted (Needs Suricata-Verify test)
Actions
Copy link
 #4

Updated by Victor Julien over 1 year ago

  • Status changed from In Review to Resolved
  • Priority changed from Low to Normal
  • Label Needs backport to 6.0 added
Actions
Copy link
 #5

Updated by Shivani Bhardwaj over 1 year ago

  • Label deleted (C, Needs backport to 6.0)
Actions
Copy link
 #6

Updated by Shivani Bhardwaj over 1 year ago

  • Subtask #6174 added
Actions
Copy link
 #7

Updated by Victor Julien over 1 year ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF