From: Victor Julien <victor@inliniac.net>
Date: Wed, 24 Jan 2018 15:37:27 +0000 (+0100)
Subject: stream: set event for suspected data injection during 3whs
X-Git-Tag: suricata-4.0.4~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=660c1de7ba7657e32e89cea0b16d51b265eaeb6e;p=thirdparty%2Fsuricata.git

stream: set event for suspected data injection during 3whs

This rule will match on the STREAM_3WHS_ACK_DATA_INJECT, that is
set if we're:
- in IPS mode
- get a data packet from the server
- that matches the exact SEQ/ACK expectations for the 3whs

The action of the rule is set to drop as the stream engine will drop.
So the rule action is actually not needed, but for consistency it
is drop.
---

diff --git a/rules/stream-events.rules b/rules/stream-events.rules
index fe4c6cb00e..21feab9dc8 100644
--- a/rules/stream-events.rules
+++ b/rules/stream-events.rules
@@ -15,6 +15,11 @@ alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake excessive diff
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN resend different seq on SYN recv"; stream-event:3whs_syn_resend_diff_seq_on_syn_recv; classtype:protocol-command-decode; sid:2210008; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN to client on SYN recv"; stream-event:3whs_syn_toclient_on_syn_recv; classtype:protocol-command-decode; sid:2210009; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake wrong seq wrong ack"; stream-event:3whs_wrong_seq_wrong_ack; classtype:protocol-command-decode; sid:2210010; rev:2;)
+# suspected data injection by sending data packet right after the SYN/ACK,
+# this to make sure network inspection reject tools reject it as it's
+# before the 3whs is complete. Only set in IPS mode. Drops unconditionally
+# in the code, so can't be made not to drop.
+drop tcp any any -> any any (msg:"SURICATA STREAM 3way handshake toclient data injection suspected"; flow:to_client; stream-event:3whs_ack_data_inject; classtype:protocol-command-decode; sid:2210057; rev:1;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong ACK"; stream-event:4whs_synack_with_wrong_ack; classtype:protocol-command-decode; sid:2210011; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake SYNACK with wrong SYN"; stream-event:4whs_synack_with_wrong_syn; classtype:protocol-command-decode; sid:2210012; rev:2;)
 alert tcp any any -> any any (msg:"SURICATA STREAM 4way handshake wrong seq"; stream-event:4whs_wrong_seq; classtype:protocol-command-decode; sid:2210013; rev:2;)
@@ -81,5 +86,5 @@ alert tcp any any -> any any (msg:"SURICATA STREAM Packet is retransmission"; st
 # rule to alert if a stream has excessive retransmissions
 alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;)
 
-# next sid 2210057
+# next sid 2210058
 
diff --git a/src/decode-events.c b/src/decode-events.c
index 9d08284f5f..51548f1867 100644
--- a/src/decode-events.c
+++ b/src/decode-events.c
@@ -196,6 +196,7 @@ const struct DecodeEvents_ DEvents[] = {
     { "stream.3whs_syn_resend_diff_seq_on_syn_recv", STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV, },
     { "stream.3whs_syn_toclient_on_syn_recv", STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV, },
     { "stream.3whs_wrong_seq_wrong_ack", STREAM_3WHS_WRONG_SEQ_WRONG_ACK, },
+    { "stream.3whs_ack_data_inject", STREAM_3WHS_ACK_DATA_INJECT, },
     { "stream.4whs_synack_with_wrong_ack", STREAM_4WHS_SYNACK_WITH_WRONG_ACK, },
     { "stream.4whs_synack_with_wrong_syn", STREAM_4WHS_SYNACK_WITH_WRONG_SYN, },
     { "stream.4whs_wrong_seq", STREAM_4WHS_WRONG_SEQ, },
diff --git a/src/decode-events.h b/src/decode-events.h
index c899c901f0..70afbd7a28 100644
--- a/src/decode-events.h
+++ b/src/decode-events.h
@@ -206,6 +206,7 @@ enum {
     STREAM_3WHS_SYN_RESEND_DIFF_SEQ_ON_SYN_RECV,
     STREAM_3WHS_SYN_TOCLIENT_ON_SYN_RECV,
     STREAM_3WHS_WRONG_SEQ_WRONG_ACK,
+    STREAM_3WHS_ACK_DATA_INJECT,
     STREAM_4WHS_SYNACK_WITH_WRONG_ACK,
     STREAM_4WHS_SYNACK_WITH_WRONG_SYN,
     STREAM_4WHS_WRONG_SEQ,
diff --git a/src/stream-tcp.c b/src/stream-tcp.c
index 863cb3354f..e5b70f5eac 100644
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@@ -1814,9 +1814,17 @@ static int StreamTcpPacketStateSynRecv(ThreadVars *tv, Packet *p,
                  * careful.
                  */
                 if (StreamTcpInlineMode()) {
+                    if (p->payload_len > 0 &&
+                            SEQ_EQ(TCP_GET_ACK(p), ssn->client.last_ack) &&
+                            SEQ_EQ(TCP_GET_SEQ(p), ssn->server.next_seq)) {
+                        /* packet loss is possible but unlikely here */
+                        SCLogDebug("ssn %p: possible data injection", ssn);
+                        StreamTcpSetEvent(p, STREAM_3WHS_ACK_DATA_INJECT);
+                        return -1;
+                    }
+
                     SCLogDebug("ssn %p: ACK received in the wrong direction",
                             ssn);
-
                     StreamTcpSetEvent(p, STREAM_3WHS_ACK_IN_WRONG_DIR);
                     return -1;
                 }