Custom Content Detection

QSharo · December 12, 2024, 3:45am

Potentially,
I am currently more interested in porting this custom content detection into Suricata, having to update the patches for newer commits can be a bit annoying.

As I’ve explained before, we added a patch to allow our custom Transformers access to the packet* (More interesting the Flow*), we would also like to discuss how we could potentially add this into suricata.

Now for (another) bug we came across, lets say I want to use a custom logger to log a TCP stream, the timestamp (I get from the flow or the packet upon reassembly) does not correspond with the actual timestamp of the packet. This makes sense because the TCP reassembly is presumably dependent on receiving an ACK from the server and only when this ACK has been received it will accept this chunk into its reassembly.

Now this is a clear problem, because TCP can have selective ACKs, which means that an acknowledgement might not be immediately sent upon receiving a packet, the first ‘ACK’ it will then receive might be a data packet from the server.

At this point, both packets will be sent into reassembly and flow->lastts and packet->ts will be incorrect for the client->server packet in the TCP reassembly handler, so the client->server packet time will be the same as the server->client packet time. Now when we log these packets to the database and then order by time, the order might be wrong as they have the same time, which can cause our post traffic analysis tools to return undefined behaviour.

Apart from this, we also noticed another bug, when stream.checksum-validation is set to false, apkt will get the PKT_IGNORE_CHECKSUM flag.

Now, lets say I still want to detect invalid checksums despite this validation being disabled, this is currently impossible without patches because when this PKT_IGNORE_CHECKSUM flag is set and therefore, the checksum detection just returns the cd->valid, which is taken from rule and not the packet. This makes all checksum rules useless when stream.checksum-validation is set to false.

Also lets say I do enable this, then all packets with an invalid checksum are not streamed through the tcp reassembler, so this doesn’t help me either.
A case where this might happen is when a router strips tcp options from a syn packet and therefore the checksum might be incorrect, which we want to detect, but not drop, which is impossible.
Simply, I want all packets to pass the tcp reassembler, but still be able to detect wrong checksums.
This was easily done by commenting out all the:

// if (p->flags & PKT_IGNORE_CHECKSUM) {
//     return cd->valid;
// }

in detect-csum.c

Topic		Replies	Views
Is there a Way to Configure Dynamic Message Output Reporting OF RegEx-based Matches? Rules rules , development , suricata	3	612	September 23, 2022
Setting flowvar - Lua Scripting Rules	6	947	December 6, 2021
Cannot get srcip from the packet buffer in LUA detection script Rules ips , lua	1	288	April 4, 2023
One-To-Many Transform with InspectionBuffer Developers ips , rules , suricata	3	134	December 1, 2023
VLAN Tag in Lua Output Help	3	632	June 10, 2020

Custom Content Detection

Related topics