Mcafee IDS rule processing

[Adrian Good <itsa.aacgood () gmail com>]

Hi all,

I am attempting to troubleshoot a particular snort rule that has been added
to a custom attack set on our Mcafee IDS, and I am hoping that someone can
point me in the right direction.


The rule is below (sid:31229):
alert tcp any any -> any
[36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2578,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
(msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit
request"; flow:to_server,established; content:"/modules/";
fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U";
metadata:policy balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:31229; rev:1;)


The content from the PCAP is the following:
GET
http://player.ooyala.com/static/modules/start_screen-fc89fba4b9d2b24da65dad518a40ede5c8441d7deeb4bf33d0c2ca747bedb700.swf
HTTP/1.1
Host: player.ooyala.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
X-Requested-With: ShockwaveFlash/18.0.0.209
Accept: */*
Referer:
http://www.skynews.com.au/news/top-stories/2016/02/04/coalition-mps-seek-turnbull-tax-answers.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-AU,en;q=0.8
Cookie: BCSI-CS-c87fda4ff6f22bb5=2; BCSI-CS-8d18d10a705be693=2;
BCSI-CS-3d562a66fecc35f6=2


The kicker is that the IDS is showing a Translation Warning for this rule
which states - "Ignored snort option(s): fast_pattern".


Looking into the pcre regex I cant seem to get it to match what the full
HTTP GET request is (unless my regex troubleshooting is flawed), so I am
assuming that the pcap is matching the "content" (/modules/) and with
fast_pattern effectively off, its making a positive match based on the
"content" alone and skipping over "pcre".

Would this assumption be correct? or is anyone able to tell me how rule
processing would work with "content", "pcre" and "no fast_pattern" for this
particular rule?

I hope I have been able to put the question clearly, if not please let me
know.

Many thanks

-Adrian

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!