Re: flowbits - checking multiple bits being set to create alerting

[Eoin Miller <eoin.miller () trojanedbinaries com>]

On 6/14/2011 4:37 PM, Patrick Mullen wrote:
> Eoin,
>
> Could you send a pcap and the three rules (the rule below and the two
> flowbit setting rules) to me that demonstrate this behavior?  If what
> you describe is correct, this is a bug and we need to correct it.  The
> way the rules language works, the flowbit checks as described below
> should be an AND-type series of checks.
>
>
> Thanks,
>
> ~Patrick
Patrick,

Thanks for looking into this and confirming the behavior . After a 
little more testing, I think I am mistaken/being an idiot. I guess when 
you have a rule only check for the existence of the two flowbits being 
set and nothing else whatsoever, then it just logs every packet in the 
tagged session. When that session turns out to get combined with HTTP 
pipelining, then I didn't understand why it was firing. I've got things 
more squared away and hopefully.

#
#
# Setting EXE flowbit:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or 
DLL Windows file download"; flow: established; content:"MZ"; isdataat: 
76,relative; content:"This program cannot be run in DOS mode."; 
distance: 0; isdataat: 10,relat
ive; content:"PE"; distance: 0; flowbits:set,ET.http.binary; 
classtype:policy-violation; 
reference:url,doc.emergingthreats.net/bin/view/Main/2000419; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Down
loads; sid:2000419; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE 
Install Windows file download"; flow: established; content:"MZ"; 
isdataat: 76,relative; content:"This program must be "; distance: 0; 
isdataat: 140,relative; content:"PE
"; distance: 0; flowbits:set,ET.http.binary; classtype:policy-violation; 
reference:url,www.program-transformation.org/Transform/PcExeFormat; 
reference:url,doc.emergingthreats.net/bin/view/Main/2000427; 
reference:url,www.emergingthreats.n
et/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid:2000427; 
rev:12;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY 
Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; 
flowbits:isnotset,ET.http.binary; content:"HTTP/1"; depth:6; 
content:"Content-Type|3a| application
/"; nocase; http_header; flowbits:noalert; flowbits:set,ET.http.binary; 
classtype:not-suspicious; reference:url,doc.emergingthreats.net/2007670; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Small_Binary_Dow
nloads; sid:2007670; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or 
DLL Windows file download (2)"; flow:established; content:"MZ"; 
isdataat:76,relative; content:"Windows Program"; distance:0; 
isdataat:10,relative; content:"PE"; dista
nce:0; flowbits:set,ET.http.binary; classtype:policy-violation; 
reference:url,doc.emergingthreats.net/2010869; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; 
sid:2010869; rev:2;)
#
#
# Setting Java Client flowbit:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST Java 
Client HTTP Request"; content:" Java/1."; http_header; 
flowbits:set,ET.http.javaclient; classtype:misc-activity; sid:7000015; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST 
Vulnerable Java Version 1.5.x Detected"; 
flowbits:isset,ET.http.javaclient; content:" Java/1.5."; http_header; 
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset
,ET.http.javaclient; classtype:bad-unknown; sid:7000016; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST 
Vulnerable Java Version 1.6.x Detected"; 
flowbits:isset,ET.http.javaclient; content:" Java/1.6.0_"; http_header; 
pcre:"/Java\/1.6.0_([0-1][0-9]|2[0-3])/"; flowbits:set,E
T.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient; 
classtype:bad-unknown; sid:7000017; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST 
Vulnerable Java Version 1.4.x Detected"; 
flowbits:isset,ET.http.javaclient; content:" Java/1.4."; http_header; 
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset
,ET.http.javaclient; classtype:bad-unknown; sid:7000018; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"AOL TEST 
Vulnerable Java Version EXE Download"; flowbits:isset,ET.http.binary; 
flowbits:isset,ET.http.javaclient.vulnerable; threshold:type limit,track 
by_src,count 1,seconds 5;
classtype:trojan-activity; sid:7000019; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"AOL TEST Java 
EXE Download"; flowbits:isset,ET.http.binary; 
flowbits:isset,ET.http.javaclient; threshold:type limit,track 
by_src,count 1,seconds 5; classtype:trojan-activity; sid
:7000020; rev:1;)

I added some thresholding with type limit and that seems to have squared 
away the problem in our testing environment. I'll be running these for 
the next few days and monitoring the output on the live stuff.

-- Eoin

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation