Giters

CERTCC / PoC-Exploits

Select proof-of-concept exploits for software vulnerabilities to aid in identifying and testing vulnerable systems.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

sid:1371257161 error

jnorell opened this issue · comments

commented

Using the rules from https://github.com/CERTCC/PoC-Exploits/tree/master/vu-257161 I get this error:

<Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
<Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns any any -> any any (msg:"VU#257161:CVE-2020-11901 DNS malformed response to provide incorrect size for heap allocation error"; dsize:>128 ; app-layer-event:dns.malformed_data; sid:1371257161; rev:1;)" from file /path/to/custom.rules at line 26

I'm using suricata 5.0.2 (pfsense package).

commented

Hello @jnorell I have tested this with a malformed DNS packet like this on a default suricata install on stock Ubuntu box in our lab. Below is my test with suricata version

vss@CERTLAB: suricata -V
This is Suricata version 3.2 RELEASE
vss@CERTLAB: suricata -k none -c /etc/suricata/suricata.yaml  -s vu-257161.rules -r malformed_dns.pcap
24/6/2020 -- 17:21:46 - <Notice> - This is Suricata version 3.2 RELEASE
24/6/2020 -- 17:21:46 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
24/6/2020 -- 17:21:46 - <Notice> - Signal Received.  Stopping engine.
24/6/2020 -- 17:21:47 - <Notice> - Pcap-file module read 6 packets, 5860 bytes
vss@CERTLAB: cat /var/log/suricata/fast.log
06/07/2020-17:42:40.357435  [**] [1:1371257161:1] VU#257161:CVE-2020-11901 DNS malformed response to provide incorrect size for heap allocation error [**] [Classification: (null)] [Priority: 3] {UDP} 127.0.0.1:53 -> 127.0.0.1:50435
vss@CERTLAB: tcpdump -c 2 -pnnnvvr malformed_dns.pcap
reading from file malformed_dns.pcap, link-type EN10MB (Ethernet)
17:42:40.342902 IP (tos 0x0, ttl 64, id 40250, offset 0, flags [none], proto UDP (17), length 56)
    127.0.0.1.50435 > 127.0.0.1.53: [bad udp cksum 0xfe37 -> 0xf4d9!] 33972+ A? www.xt.com. (28)
17:42:40.357435 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 1416)
    127.0.0.1.53 > 127.0.0.1.50435: [udp sum ok] 33972- [2q] q: A? www.xt.com., q: A? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.^@^@^@^@???????????????????????????????????????????????????????????.???????????????????????????????????????????????????????????????.???????????????????????????????????????????????????????????????.???????????????????????????????????????????????????????????????.??????????????????????????????????????????????????????????
commented

Hello Jesse,

Hope you were able to solve you issue with upgrade of Suricata. Please reopen this issue if you still have a problem.