Snort mailing list archives
Re: flowbits - checking multiple bits being set to create alerting
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 15 Jun 2011 18:04:17 +0000
On 6/14/2011 4:37 PM, Patrick Mullen wrote:
Eoin, Could you send a pcap and the three rules (the rule below and the two flowbit setting rules) to me that demonstrate this behavior? If what you describe is correct, this is a bug and we need to correct it. The way the rules language works, the flowbit checks as described below should be an AND-type series of checks. Thanks, ~Patrick
Patrick, Thanks for looking into this and confirming the behavior . After a little more testing, I think I am mistaken/being an idiot. I guess when you have a rule only check for the existence of the two flowbits being set and nothing else whatsoever, then it just logs every packet in the tagged session. When that session turns out to get combined with HTTP pipelining, then I didn't understand why it was firing. I've got things more squared away and hopefully. # # # Setting EXE flowbit: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relat ive; content:"PE"; distance: 0; flowbits:set,ET.http.binary; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Down loads; sid:2000419; rev:12;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be "; distance: 0; isdataat: 140,relative; content:"PE "; distance: 0; flowbits:set,ET.http.binary; classtype:policy-violation; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000427; reference:url,www.emergingthreats.n et/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid:2000427; rev:12;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; flowbits:isnotset,ET.http.binary; content:"HTTP/1"; depth:6; content:"Content-Type|3a| application /"; nocase; http_header; flowbits:noalert; flowbits:set,ET.http.binary; classtype:not-suspicious; reference:url,doc.emergingthreats.net/2007670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Small_Binary_Dow nloads; sid:2007670; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download (2)"; flow:established; content:"MZ"; isdataat:76,relative; content:"Windows Program"; distance:0; isdataat:10,relative; content:"PE"; dista nce:0; flowbits:set,ET.http.binary; classtype:policy-violation; reference:url,doc.emergingthreats.net/2010869; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid:2010869; rev:2;) # # # Setting Java Client flowbit: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST Java Client HTTP Request"; content:" Java/1."; http_header; flowbits:set,ET.http.javaclient; classtype:misc-activity; sid:7000015; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST Vulnerable Java Version 1.5.x Detected"; flowbits:isset,ET.http.javaclient; content:" Java/1.5."; http_header; flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset ,ET.http.javaclient; classtype:bad-unknown; sid:7000016; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST Vulnerable Java Version 1.6.x Detected"; flowbits:isset,ET.http.javaclient; content:" Java/1.6.0_"; http_header; pcre:"/Java\/1.6.0_([0-1][0-9]|2[0-3])/"; flowbits:set,E T.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient; classtype:bad-unknown; sid:7000017; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST Vulnerable Java Version 1.4.x Detected"; flowbits:isset,ET.http.javaclient; content:" Java/1.4."; http_header; flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset ,ET.http.javaclient; classtype:bad-unknown; sid:7000018; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"AOL TEST Vulnerable Java Version EXE Download"; flowbits:isset,ET.http.binary; flowbits:isset,ET.http.javaclient.vulnerable; threshold:type limit,track by_src,count 1,seconds 5; classtype:trojan-activity; sid:7000019; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"AOL TEST Java EXE Download"; flowbits:isset,ET.http.binary; flowbits:isset,ET.http.javaclient; threshold:type limit,track by_src,count 1,seconds 5; classtype:trojan-activity; sid :7000020; rev:1;) I added some thresholding with type limit and that seems to have squared away the problem in our testing environment. I'll be running these for the next few days and monitoring the output on the live stuff. -- Eoin ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- flowbits - checking multiple bits being set to create alerting Eoin Miller (Jun 13)
- Re: flowbits - checking multiple bits being set to create alerting Patrick Mullen (Jun 14)
- Re: flowbits - checking multiple bits being set to create alerting Eoin Miller (Jun 15)
- Re: flowbits - checking multiple bits being set to create alerting Patrick Mullen (Jun 14)