Can't detect AMQ message

han0x7300 · March 10, 2021, 7:05am

Hi,
I am trying to detect some byte in my pcap CVE-2015-5254_ActiveMQ_Deserialization.pcapng (7.7 KB) ,but suricata can’t detect keyword(1a) in my pcap,

even use such loose rules:

alert ip  any any <> any any (msg:"111";  content:"|1a|";sid:10082; rev:1;)
alert tcp any any <> any any (msg:"111";  content:"|1a|";sid:10083; rev:1;)
alert tcp any any -> any any (msg:"111";  content:"|1a|";sid:10084; rev:1;)

after run suricata , no alart appear.

┌──(hans㉿kali-xps)-[~/suricata-rules]
└─$ rm logs/*
┌──(hans㉿kali-xps)-[~/suricata-rules]
└─$ cat 1.rules 
alert ip  any any <> any any (msg:"111";  content:"|1a|";sid:10082; rev:1;)
alert tcp any any <> any any (msg:"111";  content:"|1a|";sid:10083; rev:1;)
alert tcp any any -> any any (msg:"111";  content:"|1a|";sid:10084; rev:1;)┌──(hans㉿kali-xps)-[~/suricata-rules]
└─$ pwd
/home/hans/suricata-rules
┌──(hans㉿kali-xps)-[~/suricata-rules]
└─$ suricata -r pcap/CVE-2015-5254_ActiveMQ_Deserialization.pcapng -S ~/suricata-rules/1.rules -l ~/suricata-rules/logs/ -k none
10/3/2021 -- 23:28:14 - <Notice> - This is Suricata version 6.0.1 RELEASE running in USER mode
10/3/2021 -- 23:28:14 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
10/3/2021 -- 23:28:14 - <Notice> - Signal Received.  Stopping engine.
10/3/2021 -- 23:28:14 - <Notice> - Pcap-file module read 1 files, 37 packets, 6147 bytes
┌──(hans㉿kali-xps)-[~/suricata-rules]
└─$ cat logs/fast.log 
┌──(hans㉿kali-xps)-[~/suricata-rules]
└─$

It’s CVE-2015-5254 ActiveMQ Deserialization
Anyone can help me,thanks.

vjulien · March 10, 2021, 3:21pm

It seems the pcap is recorded with offloads enabled, and Suricata can’t figure it out. If you run it you will see this stat:

Also, I you enable the decode option in your eve.anomaly section you will get

{
  "timestamp": "2021-03-09T09:05:35.778232+0100",
  "pcap_cnt": 22,
  "event_type": "anomaly",
  "src_ip": "",
  "src_port": 0,
  "dest_ip": "",
  "dest_port": 0,
  "proto": "",
  "anomaly": {
    "type": "decode",
    "event": "decoder.ipv4.iplen_smaller_than_hlen"
  }
}

On packet 22, the packet you’re trying to match in.

If we look in wireshark, a “TSO” warning stands out:
Screenshot from 2021-03-10 16-19-04

So the pcap has an invalid length field in packet 22, probably because of offloads during the packet capture, and therefore Suricata rejects the packet as bad before its content is inspected.

han0x7300 · March 11, 2021, 2:35am

appreciate!
after reference this link and disable TSO ,recapture pcap, everything works fine.
learn a lot.

han0x7300 · March 11, 2021, 7:31am

https://blog.73007300.xyz/?p=468

Topic		Replies	Views
Some match bypass? Rules rules	27	1960	September 17, 2021
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	723	August 10, 2023
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	1002	June 8, 2023
Suricata can't parse http packet Help	2	701	January 23, 2022
Question about mqtt detection Help rules , suricata	4	34	October 14, 2024

Can't detect AMQ message

Related topics