[Oisf-users] Fwd: UC Study highlights major cybersecurity threat

Peter Manev petermanev at gmail.com
Tue Aug 30 21:26:36 UTC 2016

On Thu, Aug 18, 2016 at 1:53 AM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Copied message from the emerging-sigs list re: using suricata to detect
> out-of-band attacks against the Linux TCP stack.
> As an aside, this caused me to revisit my process for detecting SYN
> floods.  Does anyone know if its possible to extract information re: SYN
> packet rates and/or flow timeouts from the stream engine?
> -Coop
> -------- Original Message --------
> Subject: UC Study highlights major cybersecurity threat
> Date: Wed, 17 Aug 2016 17:47:54 -0700
> From: Cooper F. Nelson <cnelson at ucsd.edu>
> To: Emerging Sigs <emerging-sigs at emergingthreats.net>
> UC researchers have discovered a security vulnerability present in the
> TCP implementation of modern Linux kernels (3.6 and higher).  Details
> linked below:
>> http://www.universityofcalifornia.edu/news/study-highlights-major-cybersecurity-threat
> This is a timed side-channel attack that can be used to passively
> extract information from an established client/server TCP session.
> After reading the paper I put together two simple suricata signatures
> based on existing behavioral analysis signatures that should detect this
> (still needs to be tested, though).  One using the 'flags' keyword and
> another using the stream tracker (which will probably be more efficient).
>> alert tcp any any -> any any (msg:"LOCAL RST flood, possible timed side channel attack"; flags:R; threshold: type both, track by_dst, count 50, seconds 1; classtype:misc-activity; sid:9;)
>> alert tcp any any -> any any (msg:"SURICATA STREAM RST flood, possible timed side-channel attack"; threshold: type both, track by_src, count 50, seconds 1; stream-event:rst_invalid_ack; sid:2210050; rev:1;)
> A word of warning, the first signature has a fairly high CPU overhead as
> every TCP packet is being evaluated.

Just on time it seems for this scenario's signature - you might want
to give this a try -
https://github.com/inliniac/suricata/pull/2207 (which is an upgrade of
the one here - https://github.com/inliniac/suricata/pull/2192 )
Example: https://github.com/inliniac/suricata/pull/2207/commits/b2f58f587d0b161fd643db2553ba96c41bc2b6da

Feedback is welcome.

> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

Peter Manev

More information about the Oisf-users mailing list