Re: A question on flows with pcaps

[Will Metcalf <william.metcalf () gmail com>]

If you leave flow:established,to_client; and pass "-k none" as a
command line option does it fire?  If so you probably need to disable
checksum offloading on your nic...

http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html

Regards,

Will

On Wed, Aug 8, 2012 at 11:57 AM, James Lay <jlay () slave-tothe-box net> wrote:
> Hey all,
>
> So...I saw this rule posted this morning:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS Blackhole Specific JavaScript Replace hwehes - 8th August
> 2012"; flow:established,to_client; file_data;
> content:".replace(/hwehes/g"; fast_pattern:only;
> classtype:trojan-activity; sid:139994; rev:1;)
>
> I have a packet capture that I wanted to test the above on:
>
>    1 2012-08-08 09:15:00.775111    10.21.0.9 -> 96.126.109.182 TCP 74
> 35498 > 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1
> TSval=145666377 TSecr=0 WS=16
>    2 2012-08-08 09:15:00.846374 96.126.109.182 -> 10.21.0.9    TCP 74 80
>  > 35498 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1380 SACK_PERM=1
> TSval=78463678 TSecr=145666377 WS=64
>    3 2012-08-08 09:15:00.846403    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=145666395
> TSecr=78463678
>    4 2012-08-08 09:15:00.846525    10.21.0.9 -> 96.126.109.182 HTTP 276
> GET /tid6mian.php?q=141afc4be54689c9 HTTP/1.1
>    5 2012-08-08 09:15:00.917513 96.126.109.182 -> 10.21.0.9    TCP 66 80
>  > 35498 [ACK] Seq=1 Ack=211 Win=15552 Len=0 TSval=78463750
> TSecr=145666395
>    6 2012-08-08 09:15:01.880144 96.126.109.182 -> 10.21.0.9    TCP 1561
> [TCP segment of a reassembled PDU]
>    7 2012-08-08 09:15:01.880171    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [ACK] Seq=211 Ack=1496 Win=17600 Len=0 TSval=145666654
> TSecr=78464712
>    8 2012-08-08 09:15:01.880251 96.126.109.182 -> 10.21.0.9    TCP 1521
> [TCP segment of a reassembled PDU]
>    <a lot more ACK's>
> 113 2012-08-08 09:15:02.278602 96.126.109.182 -> 10.21.0.9    HTTP 775
> HTTP/1.1 200 OK  (text/html)
> 114 2012-08-08 09:15:02.278611    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666753
> TSecr=78465110
> 115 2012-08-08 09:15:02.279393    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [FIN, ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666754
> TSecr=78465110
> 116 2012-08-08 09:15:02.350151 96.126.109.182 -> 10.21.0.9    TCP 66 80
>  > 35498 [FIN, ACK] Seq=90560 Ack=212 Win=15552 Len=0 TSval=78465182
> TSecr=145666754
> 117 2012-08-08 09:15:02.350174    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [ACK] Seq=212 Ack=90561 Win=68640 Len=0 TSval=145666771
> TSecr=78465182
>
> I basically packet captured a wget of the above link.  Now...when I
> test this against this rule, it doesn't fire...UNLESS I remove the
> flow:established,to_client.  Is there a reason I have to do that?  My
> home and not home net settings below:
>
> ipvar HOME_NET [10.0.0.0/8]
> ipvar EXTERNAL_NET !$HOME_NET
>
> Thanks for any assistance.
>
> James
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!