Snort mailing list archives
Re: Abnormal JPEG file detection rule
From: rmkml <rmkml () ligfy org>
Date: Tue, 21 Mar 2017 21:07:42 +0100 (CET)
Dear Demantos, Could you share a pcap for testing/replay ? Could you test by adding "flowbits:unset,jpeg_detect" on sid 10000007 ? Best Regards @Rmkml ----- Mail original ----- De: "Jim McKibben" <jmckibben () riskanalytics com> À: "demantos(Cho Hoon)" <demantos () gmail com> Cc: "snort-sigs" <snort-sigs () lists sourceforge net> Envoyé: Mardi 21 Mars 2017 13:44:01 Objet: Re: [Snort-sigs] Abnormal JPEG file detection rule Just an idea about the alert on last packet, you can do "log tcp $EXTERNAL_NET any -> $HOME_NET any (msg...)" instead of "alert tcp..." and that will cause a log entry on the IDS but no alert, should still set the flowbits though. Then alert on a normal footer or lack there-of and/or some other EOF bit. I am only slightly experienced in snort rule writing, and what you are doing with the stream5 preprocessor is outside my wheelhouse, keep up the good work! On Mon, Mar 20, 2017 at 7:55 PM, demantos(Cho Hoon) <demantos () gmail com> wrote:
Hello, I want to detect normal/abnormal JPEG files. So, I write rule about detect abnormal JPEG files like below. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected - Header"; content:"|FF D8 FF E0|"; offset:0; gid:1; sid:10000002; rev:001;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected - Footer"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset -2; content:"|FF D9|"; distance:0; within:2; gid:1; sid:10000003; rev:001;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response detected"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset -2; content:!"|FF D9|"; distance:0; within:2; gid:1; sid:10000004; rev:001;) This rules do not work well. As you know, this rule match jpeg header/footer pattern(content) to each fragmented packets. So, I try to using stream_reassemble options and flowbits options. I read https://www.snort.org/faq/readme-stream5. But, stream5 preprocessor limit reassemble packet size (paf_max: 63780 byte) Anyway I write rule like below. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected - Header"; flow:established; content:"|FF D8 FF E0|"; offset:0; flowbits:set,jpeg_detect; flowbits:noalert; stream_reassemble:enable,both; gid:1; sid:10000005; rev:001;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected - Footer"; flow:established; byte_jump:0,0,from_end,post_offset -2; content:"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect; stream_reassemble:enable,both; gid:1; sid:10000006; rev:001;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response detected"; flow:established; byte_jump:0,0,from_end,post_offset -2; content:!"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect; stream_reassemble:enable,both; gid:1; sid:10000007; rev:001;) *** normal JPEG file detection log *** 03/20-17:52:37.813831 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57199 03/20-17:52:37.815236 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57199 03/20-17:52:37.815265 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57199 03/20-17:52:37.815291 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57199 ...[snip]... 03/20-17:52:37.819399 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57199 03/20-17:52:37.819434 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57199 03/20-17:52:37.819468 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57199 03/20-17:52:37.819496 [**] [1:10000006:1] JPEG response detected - Footer [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57199 *** abnormal JPEG file detection log *** 03/20-17:53:46.793983 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57202 03/20-17:53:46.795683 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57202 03/20-17:53:46.795720 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57202 03/20-17:53:46.795757 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57202 ...[snip]... 03/20-17:53:46.796195 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57202 03/20-17:53:46.796233 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57202 03/20-17:53:46.796271 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57202 03/20-17:53:46.796308 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10. 10.10.238:57202 This rules detect each fragmented packets, but I want to alert last detection. Please anyone advise to me? Regards Social being determines social consciousness, rather than social consciousness determines social being - Karl Marx ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
-- <https://riskanalytics.com/> *Jim McKibben*Security Analyst GSEC GWAPT Office / 913-685-6588 Mobile / 573-424-4848 jmckibben () riskanalytics com [image: RiskAnalytics] <https://riskanalytics.com/> [image: Twitter] <https://twitter.com/riskanalytics> [image: LinkedIn] <https://www.linkedin.com/company/riskanalytics-llc> [image: Facebook] <https://www.facebook.com/riskanalytics?fref=ts> CONFIDENTIAL: The information in this email (and any attachments) is confidential. If you are not the intended recipient, you must not read, use or disseminate the information. Please reply to the sender and take the steps necessary to delete the message completely from your computer system. Although this email and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by RiskAnalytics, LLC for any loss or damage arising in any way from its use. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Abnormal JPEG file detection rule demantos(Cho Hoon) (Mar 20)
- Re: Abnormal JPEG file detection rule Jim McKibben (Mar 21)
- Re: Abnormal JPEG file detection rule rmkml (Mar 21)
- Re: Abnormal JPEG file detection rule Jim McKibben (Mar 21)