[Snort-openappid] Rules to detect flows?

dpifun at ...43... dpifun at ...43...
Mon Nov 3 17:52:36 EST 2014


Actually - my bad....the time stamp is correct on the second start
alert, but for some reason it is emitted in the log after a later
alert.
 Sent using Hushmail
On 11/3/2014 at 5:23 PM, dpifun at ...43... wrote:No joy - these
rules produce one finish alert, but LOTS of start alerts.
Adding $HOME_NET to my rules cuts the alerts down to three:
start->finish->start
The interesting thing is that the second start alert has a lower
sequence number and time than the finish alert, and yet it is issued
AFTER the finish. I've confirmed with wireshark that the packet does
in fact come before the FIN packet. Very strange......
[**] [1:1000000:1] ssh start [**][Priority: 0] 11/03-14:10:27.132752
192.168.18.207:39002 -> 10.1.11.201:22TCP TTL:64 TOS:0x0 ID:31635
IpLen:20 DgmLen:548 DF***AP*** Seq: 0xB6663942  Ack: 0x959EA47  Win:
0x7210  TcpLen: 20
[**] [1:1000001:1] ”ssh finish” [**][Priority: 0]
11/03-14:10:32.617073 192.168.18.207:39002 -> 10.1.11.201:22TCP TTL:64
TOS:0x10 ID:31667 IpLen:20 DgmLen:40 DF***A***F Seq: 0xB6664216  Ack:
0x959F84F  Win: 0x94B0  TcpLen: 20
[**] [1:1000000:1] ssh start [**][Priority: 0] 11/03-14:10:32.614444
192.168.18.207:39002 -> 10.1.11.201:22TCP TTL:64 TOS:0x10 ID:23399
IpLen:20 DgmLen:184 DF***A**** Seq: 0xB6664186  Ack: 0x959F850  Win:
0xFAEF  TcpLen: 20
 Sent using Hushmail
On 11/3/2014 at 2:03 PM, "Costas Kleopa (ckleopa)"  wrote:    Can you
try these instead: 
   alert tcp any any -> any any (msg:"ssh start"; flow:established;
aphid:ssh,  flowbits:isnotset,sof; flowbits:  set,sof; sid: 1; ) 
  alert tcp any any -> any any (msg:”ssh finish”;
flow:established; flags:*FR; flowbits:isset,sof;  
flowbits:isnotset,eof; flowbits:set,eof; sid:2; )  
    From: "dpifun at ...43..." 
 Date: Monday, November 3, 2014 at 12:47 PM
 To: ckleopa 
 Cc: "snort-openappid at lists.sourceforge.net" 
 Subject: Re: [Snort-openappid] Rules to detect flows?
   Here's what I have now in case others want per flow alerts: 
   alert tcp any any -> any any (msg:"ssh start"; appid: ssh;
flowbits:isnotset,flowssh; flowbits:set,flowssh; sid: 1000000; rev:1)
alert tcp any any -> any any (msg:”ssh finish”; appid: ssh;
flags:*FR; flowbits:isset,flowssh; flowbits:unset,flowssh;
sid:1000001; rev:1) 
  The above work but I always get two start alerts and two finish
alerts- one for each flow direction. Now and then, I get multiple
start alerts (out of time sequence) for some reason (see below). I
tried using the flow keyword with "to_server" etc., but  that didn't
eliminate the duplicates. Probably the easiest solution is to just use
$HOME_NET in the rule. 
  ============== alerts =====================  [**] [1:1000000:1] ssh
start [**] [Priority: 0]  11/03-09:08:53.085905 192.168.18.207:38960
-> 10.1.11.201:22 TCP TTL:64 TOS:0x0 ID:40940 IpLen:20 DgmLen:548 DF
***AP*** Seq: 0x4B1FE2F3  Ack: 0xFB90A9C2  Win: 0x7210  TcpLen: 20 
  [**] [1:1000001:1] ”ssh finish” [**] [Priority: 0] 
11/03-09:09:10.898535 192.168.18.207:38960 -> 10.1.11.201:22 TCP
TTL:64 TOS:0x10 ID:40972 IpLen:20 DgmLen:40 DF ***A***F Seq:
0x4B1FEBC7  Ack: 0xFB90B7CA  Win: 0x94B0  TcpLen: 20 
  [**] [1:1000000:1] ssh start [**] [Priority: 0] 
11/03-09:09:10.898535 192.168.18.207:38960 -> 10.1.11.201:22 TCP
TTL:64 TOS:0x10 ID:40972 IpLen:20 DgmLen:40 DF ***A***F Seq:
0x4B1FEBC7  Ack: 0xFB90B7CA  Win: 0x94B0  TcpLen: 20 
  [**] [1:1000001:1] ”ssh finish” [**] [Priority: 0] 
11/03-09:09:10.900368 10.1.11.201:22 -> 192.168.18.207:38960 TCP
TTL:128 TOS:0x0 ID:1543 IpLen:20 DgmLen:40 ***AP**F Seq: 0xFB90B7CA 
Ack: 0x4B1FEBC8  Win: 0xFAEF  TcpLen: 20  
   [**] [1:1000000:1] ssh start [**] [Priority: 0] 
11/03-09:09:10.900368 10.1.11.201:22 -> 192.168.18.207:38960 TCP
TTL:128 TOS:0x0 ID:1543 IpLen:20 DgmLen:40 ***AP**F Seq: 0xFB90B7CA 
Ack: 0x4B1FEBC8  Win: 0xFAEF  TcpLen: 20 
  [**] [1:1000000:1] ssh start [**] [Priority: 0] 
11/03-09:09:10.900385 192.168.18.207:38960 -> 10.1.11.201:22 TCP
TTL:64 TOS:0x10 ID:23389 IpLen:20 DgmLen:40 DF ***A**** Seq:
0x4B1FEBC8  Ack: 0xFB90B7CB  Win: 0x94B0  TcpLen: 20  
 Sent using Hushmail
 On 11/3/2014 at 11:19 AM, "Costas Kleopa (ckleopa)"  wrote:      The
flags option you have us has a few small errors.  Note the * in our
rule example.  Otherwise your approach looks ok.   If you add
flowbits:noalert; to this start rule, you won't get events for that. 
    alert tcp any any -> any any (msg:”ssh”; appid: ssh;
flags:*FR; flowbits:isnotset,fr; flowbits:set,fr; sid:1000000; rev:1) 
   Let us know if this works better. 
  Thanks Costas 
    From: "dpifun at ...43..." 
 Date: Sunday, November 2, 2014 at 1:49 PM
 To: ckleopa 
 Subject: Re: [Snort-openappid] Rules to detect flows?
   Costas, 
  I played around with the rules a bit more today. As I mentioned
earlier, a simple SSH connection rule:  

	                 alert tcp any any -> any any (msg:”ssh”; appid:
ssh openssh; sid:1000000; rev:1) 

	produces a LARGE number of alerts on a single SSH connection. 

	In trying to play around with flowbits, I have these rules: 

	                 alert tcp any any -> any any (msg:”ssh start”;
flowbits: isnotset, ssh; flowbits: set, ssh; appid: ssh; sid:1000000;
rev:1) 

	                 alert tcp any any -> any any (msg:"ssh finish";
flags: F; flowbits: isset, ssh; flowbits: unset, ssh; sid: 1000001;
rev: 1) 

	The idea here was to set the ssh flowbit when the flow is seen and
issue an alert. Then, when the connection is closed to send a final
alert. 

	With those rules, I do get two alerts. But, they're both "ssh start"
alerts shown below: 
	[**] [1:1000000:1] ”ssh start” [**] 

	[Priority: 0]  

	11/02-10:36:52.245181 192.168.18.207:45072 -> 192.168.1.1:22 

	TCP TTL:64 TOS:0x0 ID:4853 IpLen:20 DgmLen:548 DF 

	***AP*** Seq: 0x2B086E0B  Ack: 0x155A71B3  Win: 0x7210  TcpLen: 20 
	[**] [1:1000000:1] ”ssh start” [**] 

	[Priority: 0]  

	11/02-10:36:59.628815 192.168.18.207:45072 -> 192.168.1.1:22 

	TCP TTL:64 TOS:0x10 ID:28775 IpLen:20 DgmLen:40 DF 

	***A**** Seq: 0x2B087800  Ack: 0x155A83BC  Win: 0xA3F0  TcpLen: 20 
  My configuration is exactly like the tutorials on Ubuntu 14.04
running 2.9.7 with the latest rules and OpenAppID drop. I start snort
with the following command: 
                snort -c /etc/snort/snort.conf --daq afpacket -i eth0
-k none 
  All we're trying to do is get an alert when a SSH connection starts
and when it ends. 
  I'm sure that the problem is that we just don't understand the Snort
rule language well enough yet. 
  Thanks!  
 Sent using Hushmail
 On 11/1/2014 at 8:19 PM, "Costas Kleopa (ckleopa)"  wrote:     With
the alerts that should at least  give you the end of the connection.
For AppID, we won't know what the application is from the first Syn
packet since we need a deeper inspection to find the application so we
would only provide the alert when the connection  ends.   
  If you are seeing more alerts even in a per TCP session then please
send us the rules you are using, the configuration and some of the log
output of the alert results and we will investigate it internally. 
 Thanks, Costas  
 On Nov 1, 2014, at 8:01 PM, "dpifun at ...43..."  wrote:
   Costas, 
  Thanks for the quick reply! What about a rule to get the start/end
of a connection for ssh? 
  Originally, we thought we could use the Syn and Fin flags along with
flowbits. That didn't work though. 
  Thanks!
 Sent using Hushmail
 On 11/1/2014 at 7:58 PM, "Costas Kleopa (ckleopa)"  wrote:    
Unfortunately, providing the received and send bytes per connection in
the alerts is something that is not supported in this release, and we
have also noted it in our roadmap for this feature.  
  The only way you can get the received/send bytes per AppID is on a
per timed interval through the use of the app-stats logs.  
 Thanks, Costas  
 On Nov 1, 2014, at 7:47 PM, "dpifun at ...43..."  wrote:
   We're trying to detect apps with rules to get the IP, port pair.
But, we've run into a snag. 
  A simple rule for detecting SSH connections regardless of the port: 
  alert tcp any any -> any any (msg:”ssh”; appid: ssh openssh;
sid:1000000; rev:1) 
  This rule, however, creates a huge number of alerts for a single SSH
connection.  While we're not snort rule experts, using flowbits seems
to be the way. But, we're a bit lost on how to get  ONLY an alert at
the beginning of an SSH connection and at the  end. It would be cool
if we could get the number of bytes sent/received for the connection
but that seems impossible. 
  We tried using the S and F flags without success. 
  Any help appreciated! 
    
------------------------------------------------------------------------------
    _______________________________________________
 Snort-openappid mailing list
 Snort-openappid at lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/snort-openappid
 Please visit  http://blog.snort.org to stay current on all the latest
Snort news!                     
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20141103/1a640be3/attachment.html>


More information about the Snort-openappid mailing list