Quantum Insert detection for Suricata
Suricata can already detect
QUANTUMINSERT like attacks out of the box, using the
stream-event with a signature detecing a
HTTP 302 redirect one could easily detect malicious HTTP redirects.
Victor Julien shared the following signatures for detecting
alert tcp any any -> any any (msg:"SURICATA STREAM reassembly overlap with different data"; stream-event:reassembly_overlap_different_data; classtype:protocol-command-decode; sid:2210050; rev:2;) alert tcp any any -> any any (msg:"LOCAL QI 302 and possible inject"; stream-event:reassembly_overlap_different_data; content:"302"; http_stat_code; classtype:protocol-command-decode; sid:12345; rev:2;)