Snort mailing list archives

Abnormal JPEG file detection rule

From: "demantos(Cho Hoon)" <demantos () gmail com>
Date: Tue, 21 Mar 2017 09:55:23 +0900

Hello,

I want to detect normal/abnormal JPEG files.

So, I write rule about detect abnormal JPEG files like below.


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected -
Header"; content:"|FF D8 FF E0|"; offset:0; gid:1; sid:10000002; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected -
Footer"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset -2;
content:"|FF D9|"; distance:0; within:2; gid:1; sid:10000003; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response
detected"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset
-2; content:!"|FF D9|"; distance:0; within:2; gid:1; sid:10000004; rev:001;)


This rules do not work well. As you know, this rule match jpeg
header/footer pattern(content) to each fragmented packets.

So, I try to using stream_reassemble options and flowbits options.

I read https://www.snort.org/faq/readme-stream5.

But, stream5 preprocessor limit reassemble packet size (paf_max: 63780 byte)

Anyway I write rule like below.


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected -
Header"; flow:established; content:"|FF D8 FF E0|"; offset:0;
flowbits:set,jpeg_detect; flowbits:noalert; stream_reassemble:enable,both;
gid:1; sid:10000005; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected -
Footer"; flow:established; byte_jump:0,0,from_end,post_offset -2;
content:"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect;
stream_reassemble:enable,both; gid:1; sid:10000006; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response
detected"; flow:established; byte_jump:0,0,from_end,post_offset -2;
content:!"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect;
stream_reassemble:enable,both; gid:1; sid:10000007; rev:001;)


*** normal JPEG file detection log ***

03/20-17:52:37.813831  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.815236  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.815265  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.815291  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
...[snip]...
03/20-17:52:37.819399  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.819434  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.819468  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.819496  [**] [1:10000006:1] JPEG response detected - Footer
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199


*** abnormal JPEG file detection log ***

03/20-17:53:46.793983  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.795683  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.795720  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.795757  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
...[snip]...
03/20-17:53:46.796195  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.796233  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.796271  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.796308  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202


This rules detect each fragmented packets, but I want to alert last
detection.

Please anyone advise to me?


Regards




Social being determines social consciousness, rather than social
consciousness determines social being  - Karl Marx

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Abnormal JPEG file detection rule demantos(Cho Hoon) (Mar 20)
- Re: Abnormal JPEG file detection rule Jim McKibben (Mar 21)
  - Re: Abnormal JPEG file detection rule rmkml (Mar 21)