[Snort-sigs] 1337 Bot and TCP options detection

Y M snort at ...3751...
Wed Dec 28 11:43:57 EST 2016


You can use dsize as the following syntax and just have one rule.

dsize:min<>max;

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html#SECTION00467000000000000000

YM





On Wed, Dec 28, 2016 at 7:29 PM +0300, "joshua burgess" <avonyxx at ...12...<mailto:avonyxx at ...12...>> wrote:


Unfortunately setting the Flowbits isn't an option because I'm using McAfee NSM and their half baked interpretation of SNORT which doesn't support it.  As for my second rule can I create two different dsize variables to narrow the match down to inbetween two different packet sizes?


Sent from Outlook<http://aka.ms/weboutlook>
________________________________
From: FOULDE Damien <damien.foulde at ...4205...>
Sent: Wednesday, December 28, 2016 11:01:15 AM
To: joshua burgess
Cc: snort-sigs at lists.sourceforge.net
Subject: RE: 1337 Bot and TCP options detection

Joshua,

To be able to match on the |01 03 03 07| content in the TCP header and then use the “flags” keyword you could split the rule and set a flowbit (http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html) in a first snort ip rule and check this flowbit in a second snort tcp rule.

Regards,

Damien

De : FOULDE Damien
Envoyé : mercredi 28 décembre 2016 15:23
À : 'joshua burgess'
Cc : snort-sigs at lists.sourceforge.net
Objet : RE: 1337 Bot and TCP options detection

Hello Joshua,

You may write an ip rule, not a tcp one, to be able to match on the |01 03 03 07| content in the TCP header.
However writing the snort rule through this way will prevent you to use the “flags” keyword reserved for the tcp rules.

Regards,

Damien

De : joshua burgess [mailto:avonyxx at ...12...]
Envoyé : mercredi 28 décembre 2016 13:51
À : snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Objet : [Snort-sigs] 1337 Bot and TCP options detection


To check a few boxes, I'm trying to gen up two signatures designed to detect the latest 1337 bot that Imperva wrote about (https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html)



Basically I'm trying to write a signature designed to detect the TCP options which spell out 1337 as well as an abnormally large SYN packet ranging from 799 to 936.



I don't know SNORT supports my specifying the TCP options like:

Number: No-Operation (NOP) (1)

Kind: Window Scale (3)

Length: (3)

Shift count: (7)



Could I do it with"content" only, it doesn't seem likely but I'm running out of ideas...

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flags:S; content:"Number: No-Operation (NOP) (1)"; content:"Kind: Window Scale (3)"; content:"Length: (3)"; content:"Shift count: (7)"; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:6000049; rev:1;)


As far as writing a signature to look for just the SYN packet size would this work to set two different sizes?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"1337 DDoS Tool"; flags:S; dsize:>799; dsize:<936; reference:url,https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html; classtype:attempted-dos; sid:6000049; rev:1;)



Any help would be awesome. Thanks!


Sent from Outlook<http://aka.ms/weboutlook>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161228/30a94216/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161228/30a94216/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00002.txt
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161228/30a94216/attachment-0001.txt>


More information about the Snort-sigs mailing list