Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md

README.md

Quantum Insert detection for Suricata

Suricata can already detect QUANTUMINSERT like attacks out of the box, using the stream-event called reassembly_overlap_different_data.

Combining the stream-event with a signature detecing a HTTP 302 redirect one could easily detect malicious HTTP redirects.

Ofcourse the payload could also contain other content, such as malicious javascript.

Signatures

Victor Julien shared the following signatures for detecting QUANTUMINSERT:

alert tcp any any -> any any (msg:"SURICATA STREAM reassembly overlap with different data"; stream-event:reassembly_overlap_different_data; classtype:protocol-command-decode; sid:2210050; rev:2;)
alert tcp any any -> any any (msg:"LOCAL QI 302 and possible inject"; stream-event:reassembly_overlap_different_data; content:"302"; http_stat_code; classtype:protocol-command-decode; sid:12345; rev:2;)

References