Actions
Documentation #6121
closeddatasets: 6.0.x work-arounds for dataset supply chain attacks
Affected Versions:
Effort:
Difficulty:
Label:
Description
Check your Rules for Absolute and Relative Dataset Filenames¶
The following grep
command will look at all rule files in /var/lib/suricata/rules
that try to write
to a dataset using an absolute path name or a path name that traverses to the parent directory.
grep -E 'dataset:.*(state|save)\s+(.*\.\.|/)' /var/lib/suricata/rules/*.rules
Use Suricata-Update to Disable Rules with Absolute or Parent Dataset Paths¶
In /etc/suricata/disable.conf
, a regular expression can be added to disable rules that attempt to write to a dataset filename either to an absolute pathname, or paths that contain ..
:
re:dataset:.*?(save|state)\s+(.*\.\.|/).*?;
Notes¶
Test Rules¶
The above commands were tested with the following rules:
alert dns any any -> any any (msg:"dataset normal"; dns.query; to_sha256; dataset: isset, dns-sha256-seen, type md5, state dns-sha256-seen.lst; sid:1000000; rev:1;) alert dns any any -> any any (msg:"dataset absolute"; dns.query; to_sha256; dataset: isset, absolute, type md5, state /absolute.lst; sid:2; rev:1000001;) alert dns any any -> any any (msg:"dataset parent"; dns.query; to_sha256; dataset: isset, parent, type md5, state ../absolute.lst; sid:3; rev:1000002;) alert dns any any -> any any (msg:"dataset save parent"; dns.query; to_sha256; dataset: isset, parent-save, type md5, save ../save-absolute.lst; sid:1000003; rev:1;) alert dns any any -> any any (msg:"static"; dns.query; to_sha256; dataset: isset, static, type md5, load static.list; sid:1000004; rev:1;) alert dns any any -> any any (msg:"relative inside"; dns.query; to_sha256; dataset: isset, relative-inside, type md5, save foo/../../bar; sid:1000005; rev:1;)
Actions