An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade
any tcp based signature by overlapping a TCP segment with a fake FIN
packet. The fake FIN packet is injected just before the PUSH ACK packet we
want to bypass. The PUSH ACK packet (containing the data) will be ignored
by Suricata because it overlaps the FIN packet (the sequence and ack number
are identical in the two packets). The client will ignore the fake FIN
packet because the ACK flag is not set. Both linux and windows clients are
ignoring the injected packet.
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 (Focal Fossa):DNE
More Information

Updated: 2020-01-29 18:59:34 UTC (commit 40f18bf14da5fb50662e1f861ea594a462b207fe)