tcp: rejects FIN+SYN packets as invalid

Ticket: #4569 If a FIN+SYN packet is sent, the destination may keep the connection alive instead of starting to close it. In this case, a later SYN packet will be ignored by the destination. Previously, Suricata considered this a session reuse, and thus used the sequence number of the last SYN packet, instead of using the one of the live connection, leading to evasion. This commit errors on FIN+SYN so that they do not get processed as regular FIN packets.
4 years ago · 6cb6225b28
parent 50e2b973ee
commit 6cb6225b28
4 changed files with 14 additions and 1 deletions
--- a/rules/stream-events.rules
+++ b/rules/stream-events.rules
@ -91,5 +91,8 @@ alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; f
 # Packet on wrong thread. Fires at most once per flow.
 alert tcp any any -> any any (msg:"SURICATA STREAM pkt seen on wrong thread"; stream-event:wrong_thread; sid:2210059; rev:1;)

-# next sid 2210060
+# Packet with FIN+SYN set
+alert tcp any any -> any any (msg:"SURICATA STREAM FIN SYN reuse"; stream-event:fin_syn; classtype:protocol-command-decode; sid:2210060; rev:1;)
+
+# next sid 2210061

--- a/src/decode-events.c
+++ b/src/decode-events.c
@ -754,6 +754,10 @@ const struct DecodeEvents_ DEvents[] = {
            "stream.fin_out_of_window",
            STREAM_FIN_OUT_OF_WINDOW,
    },
+    {
+            "stream.fin_syn",
+            STREAM_FIN_SYN,
+    },
    {
            "stream.lastack_ack_wrong_seq",
            STREAM_LASTACK_ACK_WRONG_SEQ,
--- a/src/decode-events.h
+++ b/src/decode-events.h
@ -265,6 +265,7 @@ enum {
    STREAM_FIN2_INVALID_ACK,
    STREAM_FIN_BUT_NO_SESSION,
    STREAM_FIN_OUT_OF_WINDOW,
+    STREAM_FIN_SYN,
    STREAM_LASTACK_ACK_WRONG_SEQ,
    STREAM_LASTACK_INVALID_ACK,
    STREAM_RST_BUT_NO_SESSION,
--- a/src/stream-tcp.c
+++ b/src/stream-tcp.c
@ -2813,6 +2813,11 @@ static int StreamTcpHandleFin(ThreadVars *tv, StreamTcpThread *stt,
            return -1;
        }

+        if (p->tcph->th_flags & TH_SYN) {
+            SCLogDebug("ssn %p: FIN+SYN", ssn);
+            StreamTcpSetEvent(p, STREAM_FIN_SYN);
+            return -1;
+        }
        StreamTcpPacketSetState(p, ssn, TCP_CLOSE_WAIT);
        SCLogDebug("ssn %p: state changed to TCP_CLOSE_WAIT", ssn);