Ticket: #4569
If a FIN+SYN packet is sent, the destination may keep the
connection alive instead of starting to close it.
In this case, a later SYN packet will be ignored by the
destination.
Previously, Suricata considered this a session reuse, and thus
used the sequence number of the last SYN packet, instead of
using the one of the live connection, leading to evasion.
This commit errors on FIN+SYN so that they do not get
processed as regular FIN packets.
(cherry picked from commit
6cb6225b28c5d8e616a420b7d05b129ba2845dc0)
# Packet on wrong thread. Fires at most once per flow.
alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)
-# next sid 2210060
+# Packet with FIN+SYN set
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)
+
+# next sid 2210061
{ "stream.fin2_invalid_ack", STREAM_FIN2_INVALID_ACK, },
{ "stream.fin_but_no_session", STREAM_FIN_BUT_NO_SESSION, },
{ "stream.fin_out_of_window", STREAM_FIN_OUT_OF_WINDOW, },
+ {
+ "stream.fin_syn",
+ STREAM_FIN_SYN,
+ },
{ "stream.lastack_ack_wrong_seq", STREAM_LASTACK_ACK_WRONG_SEQ, },
{ "stream.lastack_invalid_ack", STREAM_LASTACK_INVALID_ACK, },
{ "stream.rst_but_no_session", STREAM_RST_BUT_NO_SESSION, },
STREAM_FIN2_INVALID_ACK,
STREAM_FIN_BUT_NO_SESSION,
STREAM_FIN_OUT_OF_WINDOW,
+ STREAM_FIN_SYN,
STREAM_LASTACK_ACK_WRONG_SEQ,
STREAM_LASTACK_INVALID_ACK,
STREAM_RST_BUT_NO_SESSION,
return -1;
}
+ if (p->tcph->th_flags & TH_SYN) {
+ SCLogDebug("ssn %p: FIN+SYN", ssn);
+ StreamTcpSetEvent(p, STREAM_FIN_SYN);
+ return -1;
+ }
StreamTcpPacketSetState(p, ssn, TCP_CLOSE_WAIT);
SCLogDebug("ssn %p: state changed to TCP_CLOSE_WAIT", ssn);
projects / thirdparty / suricata.git / commitdiff
