Snort mailing list archives
Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions)
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Wed, 29 Jun 2011 07:07:16 -0400
On Jun 29, 2011, at 6:47 AM, Joel Esler wrote:
Just a couple thoughts initially, I'll fwd this over to devel for them to look at as well. Are you dropping packets? I am wondering that, because maybe Snort tagged this as a midstream pickup or something. Do you have a pcap? As a rule writing note, "isset" flowbit checks generally should come before content. I have no idea what this rule does though, but I'd want the flowbit check before the content in this case, as it's only a two byte match.
Thanks for checking on the above Joel, thats something that's been killing me over the years but I thought it was expected behavior... On the flowbits though: I think we had a discussion here a while ago (years perhaps) that flowbits were checked AFTER all content matching, just before the alert stage. So order would be irrelevant in the rule, no? That came around when we were trying to get performance gains by using flowbits to avoid costly content checks, but in the end it didn't help, it only prevented events, not load. Thanks! Matt
J On Jun 29, 2011, at 4:49 AM, Jason Haar wrote:Hi there We're still seeing the problem under 2.9.0.5 where snort misclassified a packet in the middle of a TCP stream as being the first packet and matches against that. e.g. we just had the following FP alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008056; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Inject; sid:2008056; rev:4;) It has "flow:established" and 'content:"|07|F"; depth:2'. So that should mean it can only alert IFF the *first two bytes* of the tcp stream are '|07|F'. However, we had it trigger in the middle of a HTTPS session (via a proxy on port 3128 - which we've defined as HTTP_PORTS). The packet it matched on was 1260 bytes in size and indeed began with those two bytes. We've seen this in earlier releases as well as 2.9.0.5. Is this a known problem? I didn't get any feedback last time I brought this up Thanks Jason On 12/05/11 13:50, Jason Haar wrote:On 10/05/11 19:42, rmkml wrote:Hi Jason, I suggest replace `depth:4;` to `http_method;`. Replace it's work on my test. I have another suggest, replace `isdataat:200,relative;` to `isdataat:200,relative; content:!"|0A|"; within:200;`. I have another another suggest, on pcre, replace `(?!\n)` to `(?!\r?\n)`.I think your suggested changes make a lot of sense, but that wasn't really my point. Why did a "depth:4" rule match *inside* a stream instead of the *beginning* of a stream?Please upgrade to snort v2.9.0.5.Is there a stream5 bug in 2.9.0.3 that caused this? Changelog doesn't show anything. My understanding of how snort merges packets into streams is contradicted by this event: either my understanding is incorrect, or there's a bug(?)-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 x110 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 09)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Matthew Jonkman (Jun 29)
- Re: flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions) Joel Esler (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Russ Combs (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Haar (Jun 29)
- Re: flow:established still broken in 2.9.0.5? Jason Wallace (Jun 30)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions Jason Haar (May 11)
- Re: FP shows snort-2.9.0.3 confused over packets and sessions rmkml (May 10)