help with flow:established

[Felix Erlacher <felix.erlacher () uibk ac at>]

Hi all,

I encountered a strange behavior in snort 2.9.9.0
I wanted to trigger rule with sid:2010054 from the current
emerging-threat ruleset (emerging-all.rules)[1].
I created a very simple traffic dump with an ARP request/response, TCP 3
way handshake and a HTTP GET request containing the content the rule is
looking for, and a 404 answer from my http server.
If I run snort with only this rule no alarm is triggered.
Now, if I remove the option "established" from the "flow:" keyword,
leaving only "flow:to_server" left in the rule than snort triggers an
alarm for this rule.
There is only one thing that imho could be blamed for this behavior: the
second segment in the tcp 3whs coming from the server has a wrong tcp
checksum.
Is it possible that the preprocessor (and thus snort) does not consider
a TCP connection "established" if there is checksum error in the 3whs?

[1] alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Likely TDSS Download (codec.exe)"; flow:established,to_server;
content:"GET"; nocase; http_method; content:"/codec.exe"; nocase;
http_uri; reference:url,doc.emergingthreats.net/2010054;
classtype:trojan-activity; sid:2010054; rev:6;)

-- 
Felix Erlacher

Key-ID:4EAC0959

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!