Impact
When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records.
Patches
Upgrade to 7.0.4 or 6.0.17.
Workarounds
There are several possible workarounds.
Use a rule to bypass the flow when an overly long SSH banner arrives like :
alert ssh any any -> any any (msg:"SURICATA SSH too long banner"; flow:established; app-layer-event:ssh.long_banner; classtype:protocol-command-decode; sid:2228001; rev:2; bypass;)
Alternatively, there are several things that help avoid or reduce the issue:
- disable ssh parser (avoid)
- set a low
stream.reassembly.depth value (reduce)
- disable EVE ssh logging (reduce)
References
https://redmine.openinfosecfoundation.org/issues/6800 (6.0.x)
https://redmine.openinfosecfoundation.org/issues/6801 (7.0.x)
Credits
Found using quadfuzz on Oss-Fuzz.
Impact
When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records.
Patches
Upgrade to 7.0.4 or 6.0.17.
Workarounds
There are several possible workarounds.
Use a rule to bypass the flow when an overly long SSH banner arrives like :
alert ssh any any -> any any (msg:"SURICATA SSH too long banner"; flow:established; app-layer-event:ssh.long_banner; classtype:protocol-command-decode; sid:2228001; rev:2; bypass;)Alternatively, there are several things that help avoid or reduce the issue:
stream.reassembly.depthvalue (reduce)References
https://redmine.openinfosecfoundation.org/issues/6800 (6.0.x)
https://redmine.openinfosecfoundation.org/issues/6801 (7.0.x)
Credits
Found using quadfuzz on Oss-Fuzz.