Skip to content

Possible TCP signature generation issue due to type mismatch #10

New issue
New issue
Open
Open
Possible TCP signature generation issue due to type mismatch#10
@boazwasserman

Description

@boazwasserman
boazwasserman
opened on Mar 14, 2021

There are many TCP signatures which have the 'T' oddity, for example in the signature below:

satori/fingerprints/tcp.xml

Line 1014 in 0637823

<test weight="5" matchtype="exact" tcpflag="S" tcpsig="8192:128:1:52:M1380,N,W8,N,N,S:T"/>

By looking at the code that generates these oddities, I noticed that the 'T' oddity is added in one of two cases:

  1. The TCP packet is a syn/ack packet and the 'T' option was identified in the TCP options
  2. The TCP packet is a syn packet and the tcpTimeStampEchoReply != 0

The potential issue is in the second case:

satori/satoriTCP.py

Lines 225 to 226 in 0637823

if (_tcp_flags == 'S' and _options_er != 0):
odd = odd + 'T'

where the variable _options_er holds the echo reply value from the TCP options.

The tcpTimeStampEchoReply value is defined to be '' (an empty string) and is only populated if the TCP timestamps option is found within the parsed TCP options. However, the check for syn packets checks whenever this value is != 0 as seen above. So this check will evaluate to true for all syn packets that do not have the TCP timestamps option, because in those cases tcpTimeStampEchoReply == '' != 0.

I wanted to ask and verify whether or not this is the expected and intended behavior, as it affects which packets are parsed to signatures that have the 'T' oddity.

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions