Project

General

Profile

Actions

Bug #7467

open

detect: checksum detection broken by stream.checksum-validation

Added by Hans Vermeer 9 days ago. Updated 9 days ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Taken from https://forum.suricata.io/t/custom-content-detection/4784/5

As mentioned in the issue, when stream.checksum-validation is set to false, a packet will get the PKT_IGNORE_CHECKSUM flag, bypassing all checksum related rules in detect-csum.c.

We've come across routers stripping TCP options from SYN packets without them properly updating the checksum afterwards. We would like to detect this behavior, while still having these incorrect packets progress to the tcp-reassembler. It doesn't seem like this is currently possible.


Files

detect-chksum.tar.gz (2.04 KB) detect-chksum.tar.gz Hans Vermeer, 12/18/2024 12:35 PM

Subtasks 1 (1 open0 closed)

Bug #7468: detect: checksum detection broken by stream.checksum-validation (7.0.x backport)AssignedOISF DevActions
Actions

Also available in: Atom PDF