Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible TCP signature generation issue due to type mismatch #10

Open
boazwasserman opened this issue Mar 14, 2021 · 1 comment
Open

Possible TCP signature generation issue due to type mismatch #10

boazwasserman opened this issue Mar 14, 2021 · 1 comment

Comments

@boazwasserman
Copy link

There are many TCP signatures which have the 'T' oddity, for example in the signature below:

satori/fingerprints/tcp.xml

Line 1014 in 0637823

<test weight="5" matchtype="exact" tcpflag="S" tcpsig="8192:128:1:52:M1380,N,W8,N,N,S:T"/>

By looking at the code that generates these oddities, I noticed that the 'T' oddity is added in one of two cases:

  1. The TCP packet is a syn/ack packet and the 'T' option was identified in the TCP options
  2. The TCP packet is a syn packet and the tcpTimeStampEchoReply != 0

The potential issue is in the second case:

satori/satoriTCP.py

Lines 225 to 226 in 0637823

if (_tcp_flags == 'S' and _options_er != 0):
odd = odd + 'T'

where the variable _options_er holds the echo reply value from the TCP options.

The tcpTimeStampEchoReply value is defined to be '' (an empty string) and is only populated if the TCP timestamps option is found within the parsed TCP options. However, the check for syn packets checks whenever this value is != 0 as seen above. So this check will evaluate to true for all syn packets that do not have the TCP timestamps option, because in those cases tcpTimeStampEchoReply == '' != 0.

I wanted to ask and verify whether or not this is the expected and intended behavior, as it affects which packets are parsed to signatures that have the 'T' oddity.

Thanks!
@xnih
Copy link
Owner

xnih commented Mar 15, 2021
edited
Loading

This code was written and initially based off my understanding of p0f v1 back in the early 2000's:

  • Quirks section is usually an empty list ('.') of oddities or bugs of this
  • particular stack. List items are not separated in any way. Possible values:
  • P - options past EOL,
  • Z - zero IP ID,
  • I - IP options specified,
  • U - urg pointer non-zero,
  • X - unused (x2) field non-zero,
  • A - ACK number non-zero,
  • T - non-zero second timestamp,
  • F - unusual flags (PUSH, URG, etc),
  • D - data payload,
  • ! - broken options segment.

T = "non-zero second timestamp" there, but with that said it sounds like it really needs looked at and potentially rewritten to do what was actually desired here. Though with that said the fingerprints still should be accurate here so even with the bug it hopefully isn't causing any actual issues with detection.

Thanks for the deep dive and information here, it gives me some good starting points!

@xnih xnih mentioned this issue Oct 27, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xnih @boazwasserman