Actions
Bug #7019
opensnmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4
Affected Versions:
Effort:
Difficulty:
Label:
Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust
Description
Found with https://github.com/OISF/suricata/pull/11062
This would allow protocol detection evasion on TCP by splitting the PDU into a first small slice and the rest once the first packet is packed
There may be other protocols to check.
Updated by Philippe Antoine 8 months ago
- Subject changed from snmp: robin parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4 to snmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4
Updated by Philippe Antoine 8 months ago
- Label Beginner, Good First Issue, Needs Suricata-Verify test, Protocol, Rust added
Easy fix, hard thing is to craft a pcap for testing
Updated by Philippe Antoine 6 months ago
I think this one can be postponed after 8
Actions