Snort mailing list archives
Re: base64 snort options
From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Wed, 13 Jun 2012 11:00:34 -0400
Adding file_data before base64_decode should fire the alert you want.. So change the second rule to: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"base64 returned from outbound post";flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; file_data; base64_decode:relative; base64_data; content:"webmail.vigilante.dk";sid:10000089;) -B On Mon, Jun 11, 2012 at 10:55 PM, whliudunjun <whliudunjun () 163 com> wrote:
should be like this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; content:"POST"; http_method; content:"index.php"; http_uri;flow bits:set,badpost;flowbits:noalert;sid:10000088;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"base64 returned from outbound post";flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; base64_decode:relative; base64_data; content:"webmail.vigilante.dk";sid:10000089;) But still can't detecte the given pcap traffic,seems the base64 decode doesn't work? At 2012-06-12 01:40:51,whliudunjun <whliudunjun () 163 com> wrote: hi,Joel Esler, sorry for that I'm not familiar with the snort signature,i read the snort_manual.pdf and read:3.6.10 flowbits i use the signature you wrote ,it still didn't output any alert. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; content:"POST"; http_method; content:"index.php"; http_uri;flow bits:set,badpost;flowbits:noalert;sid:10000088;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; base64_decode:relative; base64_data; content:"webmail.vigilante.dk";sid:10000089;) Thanks and best regards. At 2012-06-11 20:32:00,"Joel Esler" <jesler () sourcefire com> wrote:<have not looked at pcap> You have to use both sigs I gave you below. On Jun 10, 2012, at 11:53 PM, whliudunjun wrote:Hi,Joel Esler, Thanks for your quickly reply,here i will post my pcap :f43b7121dadb17ff057bfdbba9b0c18f.pcap and the snort -T output if that you can know what's my trouble,i still cant use any sig detected the said traffic,when i use: ---------------------------------------------------------------------------------------------------------------------------------------------------------- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; base64_decode:relative; base64_data; content:"webmail.vigilante.dk"; sid:10000043;rev:1;). ---------------------------------------------------------------------------------------------------------------------------------------------------------- snort -A fast -b -d -r f43b7121dadb17ff057bfdbba9b0c18f.pcap -c /opt/snort/etc/test.conf nothing alert log. Thanks. At 2012-06-09 03:44:38,"Joel Esler" <jesler () sourcefire com> wrote: >alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;) > >alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; base64_decode:relative; base64_data; content:"webmail.vigilante.dk"; sid:2;) > >or > >alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; base64_decode:relative; base64_data; content:"varchar("; content:"cast("; distance:0; sid:3;) > >Actually the below won't work, the above should. > > >On Jun 8, 2012, at 3:43 PM, Joel Esler wrote: > >> Maybe something like this: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;) >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; base64_decode:relative; base64_data; content:"webmail.vigilante.dk"; sid:2;) >> >> or >> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; base64_decode:relative; base64_data; content:"varchar("; content:"cast("; distance:0; sid:3;) >> >> >> >> >> Note, I wrote those off the top of my head. I didn't test them as I don't have a pcap of the traffic. >> >> -- >> Joel Esler >> Senior Research Engineer, VRT >> OpenSource Community Manager >> Sourcefire >> >> >> On Jun 8, 2012, at 2:05 AM, whliudunjun wrote: >> >>> when i use snort to scan pcap package,the net traffic like following: >>> >>> the traffic:--------------------------------------------------------------------------------------- >>> send: >>> POST /metcon/index.php?id=73EEFFDBC2080030429BE52FA2866576 HTTP/1.1 >>> Content-Type: application/x-www-form-urlencoded >>> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Axo 9.104.044 ) >>> Host: 178.157.202.31 >>> Content-Length: 4 >>> Cache-Control: no-cache >>> INIT >>> receive: >>> HTTP/1.1 200 OK >>> Date: Wed, 06 Jun 2012 09:58:00 GMT >>> Server: Apache >>> Vary: Accept-Encoding >>> Content-Length: 2196 >>> Content-Type: text/html >>> d2VibWFpbC52aWdpbGFudGUuZGs=#ODA=#MDAwMA==#L2luZGV4LnBocD9pZD0xJnR5cGU9YWxsJTI3ZGVjbGFyZSUyMEBzJTIwdmFyY2hhcig0MDAwKTtzZXQlMjBAcz1jYXN0KDB4NjQ2NTYzNkM2MTcyNjUyMDQwNzQyMDc2NjE3MjYzNjg2MTcyMjgzMjM1MzUyOTJDNDA2MzIwNzY2MTcyNjM2ODYxNzIyODMyMzUzNTI5MjA2NDY1NjM2QzYxNzI2NTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2Mzc1NzI3MzZGNzIyMDY2NkY3MjIwNzM2NTZDNjU2Mzc0MjA2MTJFNkU2MTZENjUyQzYyMkU2RTYxNkQ2NTIwNjY3MjZGNkQyMDczNzk3MzZGNjI2QTY1NjM3NDczMjA2MTJDNzM3OTczNjM2RjZDNzU2RDZFNzMyMDYyMjA3NzY4NjU3MjY1MjA2MTJFNjk2NDNENjIyRTY5NjQyMDYxNkU2NDIwNjEyRTc4NzQ3OTcwNjUzRDI3NzUyNzIwNjE2RTY0MjAyODYyMkU3ODc0Nzk3MDY1M0QzOTM5MjA2RjcyMjA2MjJFNzg3NDc5NzA2NTNEMzMzNTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMyMzMzMTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMxMzYzNzI5MjA2RjcwNjU2RTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2NjY1NzQ2MzY4MjA2RTY1Nzg3NDIwNjY3MjZGNkQyMDc0NjE2MjZDNjU1RjYzNzU3MjczNkY3MjIwNjk2RTc0NkYyMDQwNzQyQzQwNjMyMDc3Njg2OTZDNjUyODQwNDA2NjY1NzQ2MzY4NUY3Mzc0NjE3NDc1NzMzRDMwMjkyMDYyNjU2NzY5NkUyMDY1Nzg2NTYzMjgyNzc1NzA2NDYxNzQ2NTIwNUIyNzJCNDA3NDJCMjc1RDIwNzM2NTc0MjA1QjI3MkI0MDYzMkIyNzVEM0Q3Mjc0NzI2OTZEMjg2MzZGNkU3NjY1NzI3NDI4NzY2MTcyNjM2ODYxNzIyODM0MzAzMDMwMjkyQzVCMjcyQjQwNjMyQjI3NUQyOTI5MkI2MzYxNzM3NDI4MzA3ODMzNjMzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMjMwMzczMzM3MzIzNjMzMzM2NDMyMzIzNjM4MzczNDM3MzQzNzMwMzM2MTMyNjYzMjY2MzY2NTM2MzEzNjM0MzY2MTM2NjMzNzMwMzY2NjM2MzkzNzMxMzczNzM2MzUzNjM0MzI2NTM3MzUzNjMxMzI2NjM2NjEzNzMzMzI2NTM3MzAzNjM4MzczMDMzNjYzNzMzMzYzOTM2MzQzMzY0MzMzMjMyMzIzMjMwMzczNzM2MzkzNjM0MzczNDM2MzgzMzY0MzIzMjMzMzAzMjMyMzIzMDM2MzgzNjM1MzYzOTM2MzczNjM4MzczNDMzNjQzMjMyMzMzMDMyMzIzMjMwMzczMzM3MzQzNzM5MzY2MzM2MzUzMzY0MzIzMjM2MzQzNjM5MzczMzM3MzAzNjYzMzYzMTM3MzkzMzYxMzY2NTM2NjYzNjY1MzYzNTMyMzIzMzY1MzM2MzMyNjYzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMzY1MjA2MTczMjA3NjYxNzI2MzY4NjE3MjI4MzEzMDM2MjkyOTI3MjkyMDY2NjU3NDYzNjgyMDZFNjU3ODc0MjA2NjcyNkY2RDIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2OTZFNzQ2RjIwNDA3NDJDNDA2MzIwNjU2RTY0MjA2MzZDNkY3MzY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMDY0NjU2MTZDNkM2RjYzNjE3NDY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMCUyMGFzJTIwdmFyY2hhcig0MDAwKSk7ZXhlYyhAcyk7LS0=#X19fXw==#TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNS4xKSBBcHBsZVdlYktpdC81MzUuMTkgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTguMC4xMDI1LjE2MiBTYWZhcmkvNTM1LjE5##fDgxMw==# >>> >>> end------------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>> base64: >>> d2VibWFpbC52aWdpbGFudGUuZGs=# >>> ascii:webmail.vigilante.dk >>> >>> the receive data is encode using base64,so i write a snort rules to detected it: >>> 41 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Trojan SQL injection code receive"; flow:to_client,established;content:"HTTP/1.1 200 OK";content:"webmail.vigilante.dk";clas stype:trojan-activity; sid:10000043; rev:1;) >>> >>> why this sig can't detect above traffic,is there anyone can tell me why?or i write rules at a wrong way,or i need to open some config option. >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ >>> Snort-users mailing list >>> Snort-users () lists sourceforge net >>> Go to this URL to change user options or unsubscribe: >>> https://lists.sourceforge.net/lists/listinfo/snort-users >>> Snort-users list archive: >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users >>> >>> Please visit http://blog.snort.org to stay current on all the latest Snort news! >> > <pcap.zip>------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- base64 snort options whliudunjun (Jun 07)
- Re: base64 snort options praveen_recker . (Jun 08)
- Re: base64 snort options Joel Esler (Jun 08)
- Re: base64 snort options Joel Esler (Jun 08)
- Re: base64 snort options whliudunjun (Jun 11)
- Re: base64 snort options Joel Esler (Jun 11)
- Re: base64 snort options whliudunjun (Jun 11)
- Re: base64 snort options whliudunjun (Jun 11)
- Re: base64 snort options Bhagya Bantwal (Jun 13)
- Re: base64 snort options whliudunjun (Jun 13)
- Re: base64 snort options Joel Esler (Jun 08)