Project

General

Profile

Actions

Bug #7467

open

detect: checksum detection broken by stream.checksum-validation

Added by Hans Vermeer 8 days ago. Updated 8 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Taken from https://forum.suricata.io/t/custom-content-detection/4784/5

As mentioned in the issue, when stream.checksum-validation is set to false, a packet will get the PKT_IGNORE_CHECKSUM flag, bypassing all checksum related rules in detect-csum.c.

We've come across routers stripping TCP options from SYN packets without them properly updating the checksum afterwards. We would like to detect this behavior, while still having these incorrect packets progress to the tcp-reassembler. It doesn't seem like this is currently possible.


Files

detect-chksum.tar.gz (2.04 KB) detect-chksum.tar.gz Hans Vermeer, 12/18/2024 12:35 PM

Subtasks 1 (1 open0 closed)

Bug #7468: detect: checksum detection broken by stream.checksum-validation (7.0.x backport)AssignedOISF DevActions
Actions #1

Updated by Victor Julien 8 days ago

  • Subject changed from Checksum detection to detect: checksum detection broken by stream.checksum-validation
  • Target version changed from TBD to 8.0.0-beta1
  • Label Needs backport to 7.0 added

I agree that this shouldn't happen.

Are you able to craft a SV test for this issue?

Actions #2

Updated by OISF Ticketbot 8 days ago

  • Subtask #7468 added
Actions #3

Updated by OISF Ticketbot 8 days ago

  • Label deleted (Needs backport to 7.0)
Actions #4

Updated by Hans Vermeer 8 days ago

I've attached a test I created with stream.checksum-validation=yes then switching to stream.checksum-validation=no fails the test as attached, is this enough to confirm the bug?

Actions

Also available in: Atom PDF