Snort mailing list archives
Re: base64 snort options
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 8 Jun 2012 15:44:38 -0400
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established;
content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post";
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html";
base64_decode:relative; base64_data; content:"webmail.vigilante.dk"; sid:2;)
or
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post";
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html";
base64_decode:relative; base64_data; content:"varchar("; content:"cast("; distance:0; sid:3;)
Actually the below won't work, the above should.
On Jun 8, 2012, at 3:43 PM, Joel Esler wrote:
Maybe something like this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; base64_decode:relative; base64_data; content:"webmail.vigilante.dk"; sid:2;) or alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; base64_decode:relative; base64_data; content:"varchar("; content:"cast("; distance:0; sid:3;) Note, I wrote those off the top of my head. I didn't test them as I don't have a pcap of the traffic. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jun 8, 2012, at 2:05 AM, whliudunjun wrote:when i use snort to scan pcap package,the net traffic like following: the traffic:--------------------------------------------------------------------------------------- send: POST /metcon/index.php?id=73EEFFDBC2080030429BE52FA2866576 HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Axo 9.104.044 ) Host: 178.157.202.31 Content-Length: 4 Cache-Control: no-cache INIT receive: HTTP/1.1 200 OK Date: Wed, 06 Jun 2012 09:58:00 GMT Server: Apache Vary: Accept-Encoding Content-Length: 2196 Content-Type: text/html d2VibWFpbC52aWdpbGFudGUuZGs=#ODA=#MDAwMA==#L2luZGV4LnBocD9pZD0xJnR5cGU9YWxsJTI3ZGVjbGFyZSUyMEBzJTIwdmFyY2hhcig0MDAwKTtzZXQlMjBAcz1jYXN0KDB4NjQ2NTYzNkM2MTcyNjUyMDQwNzQyMDc2NjE3MjYzNjg2MTcyMjgzMjM1MzUyOTJDNDA2MzIwNzY2MTcyNjM2ODYxNzIyODMyMzUzNTI5MjA2NDY1NjM2QzYxNzI2NTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2Mzc1NzI3MzZGNzIyMDY2NkY3MjIwNzM2NTZDNjU2Mzc0MjA2MTJFNkU2MTZENjUyQzYyMkU2RTYxNkQ2NTIwNjY3MjZGNkQyMDczNzk3MzZGNjI2QTY1NjM3NDczMjA2MTJDNzM3OTczNjM2RjZDNzU2RDZFNzMyMDYyMjA3NzY4NjU3MjY1MjA2MTJFNjk2NDNENjIyRTY5NjQyMDYxNkU2NDIwNjEyRTc4NzQ3OTcwNjUzRDI3NzUyNzIwNjE2RTY0MjAyODYyMkU3ODc0Nzk3MDY1M0QzOTM5MjA2RjcyMjA2MjJFNzg3NDc5NzA2NTNEMzMzNTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMyMzMzMTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMxMzYzNzI5MjA2RjcwNjU2RTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2NjY1NzQ2MzY4MjA2RTY1Nzg3NDIwNjY3MjZGNkQyMDc0NjE2MjZDNjU1RjYzNzU3MjczNkY3MjIwNjk2RTc0NkYyMDQwNzQyQzQwNjMyMDc3Njg2OTZDNjUyODQwNDA2NjY1NzQ2MzY4NUY3Mzc0NjE3NDc1NzMzRDMwMjkyMDYyNjU2NzY5NkUyMDY1Nzg2NTYzMjgyNzc1NzA2NDYxNzQ2NTIwNUIyNzJCNDA3NDJCMjc1RDIwNzM2NTc0MjA1QjI3MkI0MDYzMkIyNzVEM0Q3Mjc0NzI2OTZEMjg2MzZGNkU3NjY1NzI3NDI4NzY2MTcyNjM2ODYxNzIyODM0MzAzMDMwMjkyQzVCMjcyQjQwNjMyQjI3NUQyOTI5MkI2MzYxNzM3NDI4MzA3ODMzNjMzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMjMwMzczMzM3MzIzNjMzMzM2NDMyMzIzNjM4MzczNDM3MzQzNzMwMzM2MTMyNjYzMjY2MzY2NTM2MzEzNjM0MzY2MTM2NjMzNzMwMzY2NjM2MzkzNzMxMzczNzM2MzUzNjM0MzI2NTM3MzUzNjMxMzI2NjM2NjEzNzMzMzI2NTM3MzAzNjM4MzczMDMzNjYzNzMzMzYzOTM2MzQzMzY0MzMzMjMyMzIzMjMwMzczNzM2MzkzNjM0MzczNDM2MzgzMzY0MzIzMjMzMzAzMjMyMzIzMDM2MzgzNjM1MzYzOTM2MzczNjM4MzczNDMzNjQzMjMyMzMzMDMyMzIzMjMwMzczMzM3MzQzNzM5MzY2MzM2MzUzMzY0MzIzMjM2MzQzNjM5MzczMzM3MzAzNjYzMzYzMTM3MzkzMzYxMzY2NTM2NjYzNjY1MzYzNTMyMzIzMzY1MzM2MzMyNjYzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMzY1MjA2MTczMjA3NjYxNzI2MzY4NjE3MjI4MzEzMDM2MjkyOTI3MjkyMDY2NjU3NDYzNjgyMDZFNjU3ODc0MjA2NjcyNkY2RDIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2OTZFNzQ2RjIwNDA3NDJDNDA2MzIwNjU2RTY0MjA2MzZDNkY3MzY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMDY0NjU2MTZDNkM2RjYzNjE3NDY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMCUyMGFzJTIwdmFyY2hhcig0MDAwKSk7ZXhlYyhAcyk7LS0=#X19fXw==#TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNS4xKSBBcHBsZVdlYktpdC81MzUuMTkgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTguMC4xMDI1LjE2MiBTYWZhcmkvNTM1LjE5##fDgxMw==# end------------------------------------------------------------------------------------------------------------------------------------------------------- base64: d2VibWFpbC52aWdpbGFudGUuZGs=# ascii:webmail.vigilante.dk the receive data is encode using base64,so i write a snort rules to detected it: 41 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Trojan SQL injection code receive"; flow:to_client,established;content:"HTTP/1.1 200 OK";content:"webmail.vigilante.dk";clas stype:trojan-activity; sid:10000043; rev:1;) why this sig can't detect above traffic,is there anyone can tell me why?or i write rules at a wrong way,or i need to open some config option. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- base64 snort options whliudunjun (Jun 07)
- Re: base64 snort options praveen_recker . (Jun 08)
- Re: base64 snort options Joel Esler (Jun 08)
- Re: base64 snort options Joel Esler (Jun 08)
- Re: base64 snort options whliudunjun (Jun 11)
- Re: base64 snort options Joel Esler (Jun 11)
- Re: base64 snort options whliudunjun (Jun 11)
- Re: base64 snort options whliudunjun (Jun 11)
- Re: base64 snort options Bhagya Bantwal (Jun 13)
- Re: base64 snort options whliudunjun (Jun 13)
- Re: base64 snort options Joel Esler (Jun 08)