Project

General

Profile

Actions

Bug #7019

open

snmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4

Added by Philippe Antoine 8 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust

Description

Found with https://github.com/OISF/suricata/pull/11062

This would allow protocol detection evasion on TCP by splitting the PDU into a first small slice and the rest once the first packet is packed

There may be other protocols to check.

Actions #1

Updated by Philippe Antoine 8 months ago

  • Subject changed from snmp: robin parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4 to snmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4
Actions #2

Updated by Philippe Antoine 8 months ago

  • Label Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust added

Easy fix, hard thing is to craft a pcap for testing

Actions #3

Updated by Philippe Antoine 6 months ago

I think this one can be postponed after 8

Actions

Also available in: Atom PDF