Snort mailing list archives

Re: Abnormal JPEG file detection rule

From: rmkml <rmkml () ligfy org>
Date: Tue, 21 Mar 2017 21:07:42 +0100 (CET)

Dear Demantos,
Could you share a pcap for testing/replay ?
Could you test by adding "flowbits:unset,jpeg_detect" on sid 10000007 ?
Best Regards
@Rmkml


----- Mail original -----
De: "Jim McKibben" <jmckibben () riskanalytics com>
À: "demantos(Cho Hoon)" <demantos () gmail com>
Cc: "snort-sigs" <snort-sigs () lists sourceforge net>
Envoyé: Mardi 21 Mars 2017 13:44:01
Objet: Re: [Snort-sigs] Abnormal JPEG file detection rule

Just an idea about the alert on last packet, you can do "log tcp
$EXTERNAL_NET any -> $HOME_NET any (msg...)" instead of "alert tcp..." and
that will cause a log entry on the IDS but no alert, should still set the
flowbits though. Then alert on a normal footer or lack there-of and/or some
other EOF bit.

I am only slightly experienced in snort rule writing, and what you are
doing with the stream5 preprocessor is outside my wheelhouse, keep up the
good work!

On Mon, Mar 20, 2017 at 7:55 PM, demantos(Cho Hoon) <demantos () gmail com>
wrote:

Hello,

I want to detect normal/abnormal JPEG files.

So, I write rule about detect abnormal JPEG files like below.


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected
- Header"; content:"|FF D8 FF E0|"; offset:0; gid:1; sid:10000002; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected
- Footer"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset
-2; content:"|FF D9|"; distance:0; within:2; gid:1; sid:10000003; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response
detected"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset
-2; content:!"|FF D9|"; distance:0; within:2; gid:1; sid:10000004; rev:001;)


This rules do not work well. As you know, this rule match jpeg
header/footer pattern(content) to each fragmented packets.

So, I try to using stream_reassemble options and flowbits options.

I read https://www.snort.org/faq/readme-stream5.

But, stream5 preprocessor limit reassemble packet size (paf_max: 63780
byte)

Anyway I write rule like below.


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected
- Header"; flow:established; content:"|FF D8 FF E0|"; offset:0;
flowbits:set,jpeg_detect; flowbits:noalert; stream_reassemble:enable,both;
gid:1; sid:10000005; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected
- Footer"; flow:established; byte_jump:0,0,from_end,post_offset -2;
content:"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect;
stream_reassemble:enable,both; gid:1; sid:10000006; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response
detected"; flow:established; byte_jump:0,0,from_end,post_offset -2;
content:!"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect;
stream_reassemble:enable,both; gid:1; sid:10000007; rev:001;)


*** normal JPEG file detection log ***

03/20-17:52:37.813831  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57199
03/20-17:52:37.815236  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57199
03/20-17:52:37.815265  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57199
03/20-17:52:37.815291  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57199
...[snip]...
03/20-17:52:37.819399  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57199
03/20-17:52:37.819434  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57199
03/20-17:52:37.819468  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57199
03/20-17:52:37.819496  [**] [1:10000006:1] JPEG response detected - Footer
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57199


*** abnormal JPEG file detection log ***

03/20-17:53:46.793983  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57202
03/20-17:53:46.795683  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57202
03/20-17:53:46.795720  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57202
03/20-17:53:46.795757  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57202
...[snip]...
03/20-17:53:46.796195  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57202
03/20-17:53:46.796233  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57202
03/20-17:53:46.796271  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57202
03/20-17:53:46.796308  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
10.10.238:57202


This rules detect each fragmented packets, but I want to alert last
detection.

Please anyone advise to me?


Regards




Social being determines social consciousness, rather than social
consciousness determines social being  - Karl Marx


------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!




-- 


<https://riskanalytics.com/>


*Jim McKibben*Security Analyst GSEC GWAPT
Office / 913-685-6588
Mobile / 573-424-4848
jmckibben () riskanalytics com

[image: RiskAnalytics] <https://riskanalytics.com/>  [image: Twitter]
<https://twitter.com/riskanalytics>  [image: LinkedIn]
<https://www.linkedin.com/company/riskanalytics-llc>  [image: Facebook]
<https://www.facebook.com/riskanalytics?fref=ts>

CONFIDENTIAL:
The information in this email (and any attachments) is confidential.  If
you are not the intended recipient, you must not read, use or disseminate
the information.  Please reply to the sender and take the steps necessary
to delete the message completely from your computer system.  Although this
email and any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it is
virus free and no responsibility is accepted by RiskAnalytics, LLC for any
loss or damage arising in any way from its use.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Abnormal JPEG file detection rule demantos(Cho Hoon) (Mar 20)
- Re: Abnormal JPEG file detection rule Jim McKibben (Mar 21)
  - Re: Abnormal JPEG file detection rule rmkml (Mar 21)