Project

General

Profile

Actions
Copy link

Bug #7019

open

snmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4

Added by Philippe Antoine 6 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:
Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust

Description

Found with https://github.com/OISF/suricata/pull/11062

This would allow protocol detection evasion on TCP by splitting the PDU into a first small slice and the rest once the first packet is packed

There may be other protocols to check.

Actions
Copy link
 #1

Updated by Philippe Antoine 6 months ago

  • Subject changed from snmp: robin parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4 to snmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4
Actions
Copy link
 #2

Updated by Philippe Antoine 6 months ago

  • Label Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust added

Easy fix, hard thing is to craft a pcap for testing

Actions
Copy link
 #3

Updated by Philippe Antoine 5 months ago

I think this one can be postponed after 8

Actions
Copy link

Also available in: Atom PDF