FINS false positives

Question

FINS false positives

IvanNardi opened this issue 10 months ago · 3 comments

The heuristic of FINS for UDP flows is quite weak and it triggers some false positives.
Some examples:
fins_1.pcap: it is an unidirectional ESP flow
fins_2.pcap: it is an unidirectional QUIC (GQUIC) flow
fins_3.pcap: it is a STUN/RTP flow
fins_4.pcap: it s a RTP bidirectional flow

fins_false_positives.zip

I don't know the FINS protocol and I don't have other traces of it, so I don't know the best way to fix that...
Some random thoughts:

dissect it only on the default port 9600
look for multiple (4-5?) consecutive packets matching the pattern

Answer 1 · 2023-11-27T18:03:00.000Z

@0xA50C1A1, could you take a look, please?

Answer 2 · 2023-11-27T18:20:57.000Z

@0xA50C1A1, could you take a look, please?

Yeah, I have some thoughts on how to fix it.

Answer 3 · 2023-11-27T18:35:59.000Z

Done. Well, at least no more false positives on these samples. If there are false positives on other samples, it makes sense to add a check of the Service ID field - its value must match for request and response packets.