Suricata

Let's assume that the RFC XXX of a Protocol P defines that its:

• header is 4 bytes in total
• byte 1 tells protocol version
• byte 2 tells the type of request/response
• bytes 3 and 4 of its header tell how big the entire fragment is
• rest of the bytes are the fragment data

Request 1:

--------------------------
|       Header (4B)      |  <- this tells that the total length of the fragment is 20 bytes
--------------------------
|                        |
|                        |
|         DATA           |
|                        |
--------------------------

Observation: Request 1 is hence completed.

Request 2:

--------------------------
|                        |
|                        |
|         DATA           |
|                        |
--------------------------

Observation: The header of this request gives a protocol version and request type that are invalid so the protocol parser rejects it and returns an error.

Behavior to be implemented: In case of Request 2, the parser should mimic gap behavior i.e. skip over the invalid data for as long as it lasts.

Challenges:

• No way to know the length of the invalid data beforehand.

Possible solutions:

• Maybe Applayer:: API can be extended to have a fn that allows to skip over data until a certain byte pattern is found. To be discussed.
• The protocol parser can itself just not do anything w the data and ask for more data until it has valid data.