Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: base64 snort options

From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Wed, 13 Jun 2012 11:00:34 -0400
Adding file_data before base64_decode should fire the alert you want..

So change the second rule to:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"base64
returned from outbound post";flow:to_client,established;
flowbits:isset,badpost; content:"200"; http_stat_code;  file_data;
base64_decode:relative; base64_data;
content:"webmail.vigilante.dk";sid:10000089;)


-B

On Mon, Jun 11, 2012 at 10:55 PM, whliudunjun <whliudunjun () 163 com> wrote:

should be like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious
outbound post"; flow:to_server,established; content:"POST"; http_method;
content:"index.php"; http_uri;flow
bits:set,badpost;flowbits:noalert;sid:10000088;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"base64 returned
from outbound post";flow:to_client,established; flowbits:isset,badpost;
content:"200"; http_stat_code;     content:"text/html";
base64_decode:relative; base64_data;
content:"webmail.vigilante.dk";sid:10000089;)

But still can't detecte the given pcap traffic,seems the base64 decode
doesn't work?
At 2012-06-12 01:40:51,whliudunjun <whliudunjun () 163 com> wrote:

hi,Joel Esler,
  sorry for that I'm not familiar with the snort signature,i read the
snort_manual.pdf and read:3.6.10 flowbits
i use the signature you wrote ,it still didn't output any alert.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious
outbound post"; flow:to_server,established; content:"POST"; http_method;
content:"index.php"; http_uri;flow
bits:set,badpost;flowbits:noalert;sid:10000088;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS
(msg:"base64 returned from outbound post"; flow:to_client,established;
flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html";
base64_decode:relative; base64_data;
content:"webmail.vigilante.dk";sid:10000089;)

Thanks and best regards.


At 2012-06-11 20:32:00,"Joel Esler" <jesler () sourcefire com> wrote:

<have not looked at pcap>

You have to use both sigs I gave you below.


On Jun 10, 2012, at 11:53 PM, whliudunjun wrote:



 Hi,Joel Esler,
 Thanks for your quickly reply,here i will post my pcap :f43b7121dadb17ff057bfdbba9b0c18f.pcap and the snort -T 
output if that you can know what's my trouble,i still cant use any sig detected the said traffic,when i use:
 
----------------------------------------------------------------------------------------------------------------------------------------------------------
 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; 
base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:10000043;rev:1;).
 
----------------------------------------------------------------------------------------------------------------------------------------------------------
 snort -A fast -b -d -r f43b7121dadb17ff057bfdbba9b0c18f.pcap  -c /opt/snort/etc/test.conf

 nothing alert log.

 Thanks.

 At 2012-06-09 03:44:38,"Joel Esler" <jesler () sourcefire com> wrote:
 >alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; 
content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;)
 >
 >alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; 
base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:2;)
 >
 >or
 >
 >alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; 
base64_decode:relative; base64_data;  content:"varchar("; content:"cast("; distance:0; sid:3;)
 >
 >Actually the below won't work, the above should.
 >
 >
 >On Jun 8, 2012, at 3:43 PM, Joel Esler wrote:
 >
 >> Maybe something like this:
 >>
 >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; 
flow:to_server,established; content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; 
flowbits:noalert; sid:1;)
 >>
 >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; 
base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:2;)
 >>
 >> or
 >>
 >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; 
base64_decode:relative; base64_data;  content:"varchar("; content:"cast("; distance:0; sid:3;)
 >>
 >>
 >>
 >>
 >> Note, I wrote those off the top of my head.  I didn't test them as I don't have a pcap of the traffic.
 >>
 >> --
 >> Joel Esler
 >> Senior Research Engineer, VRT
 >> OpenSource Community Manager
 >> Sourcefire
 >>
 >>
 >> On Jun 8, 2012, at 2:05 AM, whliudunjun wrote:
 >>
 >>> when i use snort to scan pcap package,the net traffic like following:
 >>>
 >>> the traffic:---------------------------------------------------------------------------------------
 >>> send:
 >>> POST /metcon/index.php?id=73EEFFDBC2080030429BE52FA2866576 HTTP/1.1
 >>> Content-Type: application/x-www-form-urlencoded
 >>> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Axo 9.104.044 )
 >>> Host: 178.157.202.31
 >>> Content-Length: 4
 >>> Cache-Control: no-cache
 >>> INIT
 >>> receive:
 >>> HTTP/1.1 200 OK
 >>> Date: Wed, 06 Jun 2012 09:58:00 GMT
 >>> Server: Apache
 >>> Vary: Accept-Encoding
 >>> Content-Length: 2196
 >>> Content-Type: text/html
 >>> 
d2VibWFpbC52aWdpbGFudGUuZGs=#ODA=#MDAwMA==#L2luZGV4LnBocD9pZD0xJnR5cGU9YWxsJTI3ZGVjbGFyZSUyMEBzJTIwdmFyY2hhcig0MDAwKTtzZXQlMjBAcz1jYXN0KDB4NjQ2NTYzNkM2MTcyNjUyMDQwNzQyMDc2NjE3MjYzNjg2MTcyMjgzMjM1MzUyOTJDNDA2MzIwNzY2MTcyNjM2ODYxNzIyODMyMzUzNTI5MjA2NDY1NjM2QzYxNzI2NTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2Mzc1NzI3MzZGNzIyMDY2NkY3MjIwNzM2NTZDNjU2Mzc0MjA2MTJFNkU2MTZENjUyQzYyMkU2RTYxNkQ2NTIwNjY3MjZGNkQyMDczNzk3MzZGNjI2QTY1NjM3NDczMjA2MTJDNzM3OTczNjM2RjZDNzU2RDZFNzMyMDYyMjA3NzY4NjU3MjY1MjA2MTJFNjk2NDNENjIyRTY5NjQyMDYxNkU2NDIwNjEyRTc4NzQ3OTcwNjUzRDI3NzUyNzIwNjE2RTY0MjAyODYyMkU3ODc0Nzk3MDY1M0QzOTM5MjA2RjcyMjA2MjJFNzg3NDc5NzA2NTNEMzMzNTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMyMzMzMTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMxMzYzNzI5MjA2RjcwNjU2RTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2NjY1NzQ2MzY4MjA2RTY1Nzg3NDIwNjY3MjZGNkQyMDc0NjE2MjZDNjU1RjYzNzU3MjczNkY3MjIwNjk2RTc0NkYyMDQwNzQyQzQwNjMyMDc3Njg2OTZDNjUyODQwNDA2NjY1NzQ2MzY4NUY3Mzc0NjE3NDc1NzMzRDMwMjkyMDYyNjU2NzY5NkUyMDY1Nzg2NTYzMjgyNzc1NzA2NDYxNzQ2NTIwNUIyNzJCNDA3NDJCMjc1RDIwNzM2NTc0MjA1QjI3MkI0MDYzMkIyNzVEM0Q3Mjc0NzI2OTZEMjg2MzZGNkU3NjY1NzI3NDI4NzY2MTcyNjM2ODYxNzIyODM0MzAzMDMwMjkyQzVCMjcyQjQwNjMyQjI3NUQyOTI5MkI2MzYxNzM3NDI4MzA3ODMzNjMzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMjMwMzczMzM3MzIzNjMzMzM2NDMyMzIzNjM4MzczNDM3MzQzNzMwMzM2MTMyNjYzMjY2MzY2NTM2MzEzNjM0MzY2MTM2NjMzNzMwMzY2NjM2MzkzNzMxMzczNzM2MzUzNjM0MzI2NTM3MzUzNjMxMzI2NjM2NjEzNzMzMzI2NTM3MzAzNjM4MzczMDMzNjYzNzMzMzYzOTM2MzQzMzY0MzMzMjMyMzIzMjMwMzczNzM2MzkzNjM0MzczNDM2MzgzMzY0MzIzMjMzMzAzMjMyMzIzMDM2MzgzNjM1MzYzOTM2MzczNjM4MzczNDMzNjQzMjMyMzMzMDMyMzIzMjMwMzczMzM3MzQzNzM5MzY2MzM2MzUzMzY0MzIzMjM2MzQzNjM5MzczMzM3MzAzNjYzMzYzMTM3MzkzMzYxMzY2NTM2NjYzNjY1MzYzNTMyMzIzMzY1MzM2MzMyNjYzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMzY1MjA2MTczMjA3NjYxNzI2MzY4NjE3MjI4MzEzMDM2MjkyOTI3MjkyMDY2NjU3NDYzNjgyMDZFNjU3ODc0MjA2NjcyNkY2RDIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2OTZFNzQ2RjIwNDA3NDJDNDA2MzIwNjU2RTY0MjA2MzZDNkY3MzY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMDY0NjU2MTZDNkM2RjYzNjE3NDY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMCUyMGFzJTIwdmFyY2hhcig0MDAwKSk7ZXhlYyhAcyk7LS0=#X19fXw==#TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNS4xKSBBcHBsZVdlYktpdC81MzUuMTkgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTguMC4xMDI1LjE2MiBTYWZhcmkvNTM1LjE5##fDgxMw==#
 >>>
 >>> 
end-------------------------------------------------------------------------------------------------------------------------------------------------------
 >>>
 >>> base64:
 >>> d2VibWFpbC52aWdpbGFudGUuZGs=#
 >>> ascii:webmail.vigilante.dk
 >>>
 >>> the receive data is encode using base64,so i write a snort rules to detected it:
 >>> 41 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Trojan SQL injection code receive"; 
flow:to_client,established;content:"HTTP/1.1 200 OK";content:"webmail.vigilante.dk";clas    stype:trojan-activity; 
sid:10000043; rev:1;)
 >>>
 >>> why this sig can't detect above traffic,is there anyone can tell me why?or i write rules at a wrong way,or i 
need to open some config option.
 >>>
 >>>
 >>>
 >>>
 >>>
 >>> ------------------------------------------------------------------------------
 >>> Live Security Virtual Conference
 >>> Exclusive live event will cover all the ways today's security and
 >>> threat landscape has changed and how IT managers can respond. Discussions
 >>> will include endpoint security, mobile security and the latest in malware
 >>> threats. 
http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
 >>> Snort-users mailing list
 >>> Snort-users () lists sourceforge net
 >>> Go to this URL to change user options or unsubscribe:
 >>> https://lists.sourceforge.net/lists/listinfo/snort-users
 >>> Snort-users list archive:
 >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
 >>>
 >>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 >>
 >



 <pcap.zip>









------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: