Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Flowbits and rule ordering issue

From: "Leach, Rob M (NAM E)" <rob.leach () siemens com>
Date: Wed, 8 Feb 2012 13:59:37 -0600
Hello Snort-Users!

  I am having some issues making a flowbits "set" operation be recognized on the first packet of a UDP stream.  
Specifically, I set a flag called 'acme_noalert' and have all the firewall verification rules check 
issnotset:acme_noalert.

  When the first packet of a flow comes in, three rules seem to trigger:
     1) Base RPC-Decode informational rules  -- prints output
     2) The (flowbits:set,acme_noalert) rule -- no print
     3) The fw-verify "invalid port" rule  -- prints output (acme_noalert isn't set?)

  When each subsequent packet of a flow comes in, the same three rules trigger:
     1) Base RPC-Decode informational stuff -- sometimes prints
     2) The (flowbits:set,acme_noalert) rule -- no print, no net effect
     3) The fw-verify "invalid port" rule -- no print (acme_noalert has been set)

  Is it possible to force snort to evaluate rule (2) before rule (3)?  Is there some other way of flagging the flow for 
my other rules?



  Below is a sanitized set of vars, rules, and example "before" and "after" logfiles.

  I have an example .pcap file that triggers the issue, but am unsure how to distribute it to the users list.  (Please 
let me know what I should do to distribute it.)

  Also, let me know if I should instead re-send this mail with attachments instead of inline text.


Thanks,
-Rob

~~~~~~snort.conf additions~~~~~
#######################################
# Example rules
#######################################

###### HOSTS
var ACME_HOST_TYPE_GREEN [192.168.1.11]

var ACME_HOST_TYPE_ORANGE [192.168.1.22]

# All ACME AIX hosts
var ACME_HOST_ALL_AIX [192.168.1.11,192.168.1.22]

###### PORTS
# AIX ports which are bindable only by root
portvar ACME_PORTS_AIX_ROOT_RESV [1:1023]

# Note: Default ephemeral port range restricted by ACME
portvar ACME_PORTS_AIX_EPHEMERAL [58535:65535]

# Portmapper-111 NFS-2049  LowEphemeral--58535:58555
portvar ACME_PORTS_AIX_PORTMAPPED_SVCS [111,2049,58535:58555]

#### Verify-firewall ports
portvar ACME_PORTS_GREENAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535]

portvar ACME_PORTS_ORANGEAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535]

##****************************************************************
##*  Insert the following include afer the last "include" statement in snort.conf
##****************************************************************
include $RULE_PATH/acme-noalert.rules

include $RULE_PATH/acme-verify-firewall.rules


~~~~~~~$RULE_PATH/acme-noalert.rules ~~~~~~~
##### ---- Begin custom non-generated pre-base rules ---- #####
# Mark as "acme_noalert" -- allows other rules to alert on suspicious traffic
# UDP Portmapper - both directions, just in case

alert udp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX 111 (flowbits:set,acme_noalert; 
flowbits:noalert; sid:88001;)
alert udp $ACME_HOST_ALL_AIX 111 -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV (flowbits:set,acme_noalert; 
flowbits:noalert; sid:88002;)

# TCP Portmapped Services - ONE direction
alert tcp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_PORTMAPPED_SVCS 
(flowbits:set,acme_noalert; flowbits:noalert; sid:88003;)

~~~~~~~$RULE_PATH/acme-verify-firewall.rules ~~~~~~~
alert udp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - 
invalid SRC UDP port for GREEN AIX";classtype:misc-attack; sid:89001; rev:1;)
alert tcp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - 
invalid SRC TCP port for GREEN AIX";classtype:misc-attack; sid:89002; rev:1;)

alert udp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - 
invalid DST UDP port for GREEN AIX";classtype:misc-attack; sid:89003; rev:1;)
alert tcp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - 
invalid DST TCP port for GREEN AIX";classtype:misc-attack; sid:89004; rev:1;)

alert udp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - 
invalid SRC UDP port for ORANGE AIX";classtype:misc-attack; sid:89011; rev:1;)
alert tcp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - 
invalid SRC TCP port for ORANGE AIX";classtype:misc-attack; sid:89012; rev:1;)

alert udp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - 
invalid DST UDP port for ORANGE AIX";classtype:misc-attack; sid:89013; rev:1;)
alert tcp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - 
invalid DST TCP port for ORANGE AIX";classtype:misc-attack; sid:89014; rev:1;)

~~~~~~~~ EXAMPLE LOG WITH acme-noalert.rules ENABLED ~~~~~~~~
02/07-08:11:34.803555  [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] 
[Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803555  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] 
[Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111

~~~~~~~~ EXAMPLE LOG WITHOUT acme-noalert.rules ~~~~~~~~~~~~~
02/07-08:11:34.803555  [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] 
[Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803555  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803849  [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:807
02/07-08:11:34.804600  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.804758  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.804803  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.804955  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805001  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.805151  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805803  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805848  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.807006  [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] 
[Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807308  [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:809
02/07-08:11:34.807993  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808099  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808212  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808329  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808422  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808547  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808554  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808749  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc 
Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: