Suricata

The issue¶

The default chunk size is 2560 and, even if it can be changed by administrator, it
is not one of the most well known parameter.

So an attacker could use this knowledge to send data to almost reach the limit and
then send his attack payload in two packets. The first will get in the first
inspection and the second in the second one. This result in an evasion technique.

It could seem a bit complicated to do so, but in most protocol information request
could be used to accumulate data. For example, in IMAP asking for server capabilities
multiple time could provide a way to create some padding.

So, it is recommended that administrator set an arbitrary value of the chunk size
on their system to complicate the attack.

A solution¶

The attacker needs to know the size of chunk. So by taking an random value of chunk size around the specified
value, it is not possible for the attacker to split the attack. With a base chunk size value of 2560 (N),
using a random value in the interval [0.9 * N, 1.1 * N] would lead to 512 bytes of uncertainty and
make evasion far more difficult as the attacker can not predict where the cut will be made.