Snort mailing list archives
flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions)
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 29 Jun 2011 20:49:30 +1200
Hi there We're still seeing the problem under 2.9.0.5 where snort misclassified a packet in the middle of a TCP stream as being the first packet and matches against that. e.g. we just had the following FP alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008056; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Inject; sid:2008056; rev:4;) It has "flow:established" and 'content:"|07|F"; depth:2'. So that should mean it can only alert IFF the *first two bytes* of the tcp stream are '|07|F'. However, we had it trigger in the middle of a HTTPS session (via a proxy on port 3128 - which we've defined as HTTP_PORTS). The packet it matched on was 1260 bytes in size and indeed began with those two bytes. We've seen this in earlier releases as well as 2.9.0.5. Is this a known problem? I didn't get any feedback last time I brought this up Thanks Jason On 12/05/11 13:50, Jason Haar wrote:
On 10/05/11 19:42, rmkml wrote:Hi Jason, I suggest replace `depth:4;` to `http_method;`. Replace it's work on my test. I have another suggest, replace `isdataat:200,relative;` to `isdataat:200,relative; content:!"|0A|"; within:200;`. I have another another suggest, on pcre, replace `(?!\n)` to `(?!\r?\n)`.I think your suggested changes make a lot of sense, but that wasn't really my point. Why did a "depth:4" rule match *inside* a stream instead of the *beginning* of a stream?Please upgrade to snort v2.9.0.5.Is there a stream5 bug in 2.9.0.3 that caused this? Changelog doesn't show anything. My understanding of how snort merges packets into streams is contradicted by this event: either my understanding is incorrect, or there's a bug(?)
-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 09)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Matthew Jonkman (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Russ Combs (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 30)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)