Security #6299
closedmqtt pcap with anomalies takes too long to process because of app-layer-event detection
9240ae250cc369306803740279df2ab3eca6b54a
5bb8800588e7b4a09e1770f049cd88be71e2d30b
2fb50598f23b112f14ec15330e11c40b74caa35f
89936b6530690c6d03869b2ad8b82f9f84776f94
Description
Cf time ./src/suricata -r .lol.pcap -c suricata.yaml -S rules/mqtt-events.rules -l log -k none
Analysis :
- About 1000 MQTT transactions are created and not completed from client to server (with an anomaly unintroduced message)
- Server sends many packets with a 2 bytes of payload
- Client finally ACKS these packets, which create many transactions, with anomalies, and also triggering the MQTT transactions flush mechanism
Some possible solutions ?
- Decreasing yaml mqtt.max-tx to 64 decreases the time from one minute to 6 seconds
- DetectRunTx should not inspect the transactions that have not been modified by the current packet
Victor, thoughts about this ?
Files
Updated by Philippe Antoine about 1 year ago
Could keyword app-layer-event support prefilter ?
Updated by Philippe Antoine about 1 year ago
- Status changed from New to In Review
- Target version changed from 7.0.2 to 7.0.1
https://github.com/OISF/suricata/pull/9456 fixes the main case
Updated by Victor Julien about 1 year ago
- Assignee changed from Victor Julien to Philippe Antoine
Updated by Victor Julien about 1 year ago
- Target version changed from 7.0.1 to 7.0.2
Updated by Philippe Antoine about 1 year ago
Looks like https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62416 is another variant found by oss-fuzz,
No MQTT, but HTTP, still using app-layer-event. keyword in signatures and spending much time qsort in DetectRunTx
Updated by Philippe Antoine about 1 year ago
- Related to Security #5921: http1: configurable limit for maximum number of live transactions per flow added
Updated by Philippe Antoine about 1 year ago
So, diagnostic is
- create and make live many transaction for one flow (there is no limit for HTTP1 per #5921)
- use multiple rules with app-layer-event keyword (may work with others) but there is no pre filtering beyond the app-layer protocol
So, for each packet, we run DetectRunTx which runs for each transaction
As there is no prefilter, we merge 'state' rules from the regular prefilter
Then, we merge stored state into results, which is a duplicate of the signatures with the flags set (pointer set integer 0)
Problems :
- no limit or too big for the number of transaction per live flow
- we use qsort instead of merging two sorted lists when we merge 'state' rules from the regular prefilter (when quicksort may be at its quadratic worst-case implementation as the list is about already sorted)
- we store a state with flags set to 0 for these app-layer events, leading to duplicate signatures`
@Victor Julien I wonder what you think about this
Updated by Philippe Antoine about 1 year ago
- File httpslow.pcap httpslow.pcap added
oss-fuzz reproducer with time ./src/suricata -r httpslow.pcap -c suricata.yaml -k none --set runmode=single -S rules/http-events.rules
Updated by Philippe Antoine about 1 year ago
Summing up the subtasks :
- merge sorted lists instead of using qsort
- do not store state with flags set to 0
- do not run detection if nothing has been updated (need to investigate the QA diff for SMTP halved transactions)
- MQTT should only raise event UnintroducedMessage once per flow, and maybe not if it was picked up midstream
- MQTT should reuse an exiting transaction for this event instead of creating a new empty one just for this purpose
- limit the number of live HTTP1 transactions tracked in #5921
Updated by Victor Julien about 1 year ago
- Target version changed from 7.0.2 to 7.0.3
Updated by Philippe Antoine 12 months ago
- Related to Optimization #4749: app-layer: track changed txs for detect and logging added
Updated by Victor Julien 12 months ago
- Target version changed from 7.0.3 to 8.0.0-beta1
Updated by Philippe Antoine 10 months ago
- Subject changed from mqtt pcap with anomalies takes too long to process to mqtt pcap with anomalies takes too long to process because of app-layer-event detection
Updated by Victor Julien 10 months ago
- Severity changed from MODERATE to CRITICAL
Severe slowdown, so CRITICAL.
Updated by Philippe Antoine 9 months ago
After the merge of https://github.com/OISF/suricata/pull/10160, I wonder if there is one more subticket to do :
Is there a way that app-layer-event keyword is evaluated only once per transaction ? And not 50 times if there are 50 rules for 50 different app-layer events...
I wonder especially in the simple case when there is no event. Could we have a prefilter-ish mechanism saying that none of these signatures will match on the transaction in its current state ?
Updated by Philippe Antoine 9 months ago
- Related to Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) added
Updated by Philippe Antoine 9 months ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine 9 months ago
- Status changed from Resolved to Closed
- Git IDs updated (diff)