Snort mailing list archives
Mcafee IDS rule processing
From: Adrian Good <itsa.aacgood () gmail com>
Date: Wed, 17 Feb 2016 14:47:10 +1100
Hi all, I am attempting to troubleshoot a particular snort rule that has been added to a custom attack set on our Mcafee IDS, and I am hoping that someone can point me in the right direction. The rule is below (sid:31229): alert tcp any any -> any [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2578,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712] (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31229; rev:1;) The content from the PCAP is the following: GET http://player.ooyala.com/static/modules/start_screen-fc89fba4b9d2b24da65dad518a40ede5c8441d7deeb4bf33d0c2ca747bedb700.swf HTTP/1.1 Host: player.ooyala.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36 X-Requested-With: ShockwaveFlash/18.0.0.209 Accept: */* Referer: http://www.skynews.com.au/news/top-stories/2016/02/04/coalition-mps-seek-turnbull-tax-answers.html Accept-Encoding: gzip, deflate, sdch Accept-Language: en-AU,en;q=0.8 Cookie: BCSI-CS-c87fda4ff6f22bb5=2; BCSI-CS-8d18d10a705be693=2; BCSI-CS-3d562a66fecc35f6=2 The kicker is that the IDS is showing a Translation Warning for this rule which states - "Ignored snort option(s): fast_pattern". Looking into the pcre regex I cant seem to get it to match what the full HTTP GET request is (unless my regex troubleshooting is flawed), so I am assuming that the pcap is matching the "content" (/modules/) and with fast_pattern effectively off, its making a positive match based on the "content" alone and skipping over "pcre". Would this assumption be correct? or is anyone able to tell me how rule processing would work with "content", "pcre" and "no fast_pattern" for this particular rule? I hope I have been able to put the question clearly, if not please let me know. Many thanks -Adrian
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Mcafee IDS rule processing Adrian Good (Feb 16)
- Re: Mcafee IDS rule processing Joel Esler (jesler) (Feb 16)