Kirill Shipulin

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 4.0.4 **Description** The issue allows a malicious server to bypass HTTP detection by sending data before the 3-way handshake is complete, which can be accepted by web clients but ignored by Suricata IDS signatures. This primarily affects IDS signatures for the HTTP protocol and TCP stream content. **Recommendations** For Suricata versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the detect.c and stream-tcp.c components until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 4.x **Description** The issue is related to the DetectEngineContentInspection component in Suricata, which can be triggered by crafted network traffic with a certain signature. This causes the search engine to perform redundant checks on the content, leading to potential denial of service. The search engine fails to stop when it should after no match is found, instead stopping only upon reaching the inspection-recursion-limit, which is 3000 by default. An attacker could exploit this to cause a denial of service using specially crafted network traffic, resulting in excessive checks. **Recommendations** For Suricata versions prior to 4.x, consider updating to version 4.x or later to resolve the issue. As a temporary workaround, consider adjusting the inspection-recursion-limit to a lower value to minimize the risk of exploitation. Restrict access to the DetectEngineContentInspection component to minimize the risk of denial of service attacks.