[Snort-sigs] Abnormal JPEG file detection rule

demantos(Cho Hoon) demantos at ...2420...
Mon Mar 20 20:55:23 EDT 2017


Hello,

I want to detect normal/abnormal JPEG files.

So, I write rule about detect abnormal JPEG files like below.


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected -
Header"; content:"|FF D8 FF E0|"; offset:0; gid:1; sid:10000002; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected -
Footer"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset -2;
content:"|FF D9|"; distance:0; within:2; gid:1; sid:10000003; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response
detected"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset
-2; content:!"|FF D9|"; distance:0; within:2; gid:1; sid:10000004; rev:001;)


This rules do not work well. As you know, this rule match jpeg
header/footer pattern(content) to each fragmented packets.

So, I try to using stream_reassemble options and flowbits options.

I read https://www.snort.org/faq/readme-stream5.

But, stream5 preprocessor limit reassemble packet size (paf_max: 63780 byte)

Anyway I write rule like below.


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected -
Header"; flow:established; content:"|FF D8 FF E0|"; offset:0;
flowbits:set,jpeg_detect; flowbits:noalert; stream_reassemble:enable,both;
gid:1; sid:10000005; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected -
Footer"; flow:established; byte_jump:0,0,from_end,post_offset -2;
content:"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect;
stream_reassemble:enable,both; gid:1; sid:10000006; rev:001;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response
detected"; flow:established; byte_jump:0,0,from_end,post_offset -2;
content:!"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect;
stream_reassemble:enable,both; gid:1; sid:10000007; rev:001;)


*** normal JPEG file detection log ***

03/20-17:52:37.813831  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.815236  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.815265  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.815291  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
...[snip]...
03/20-17:52:37.819399  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.819434  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.819468  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199
03/20-17:52:37.819496  [**] [1:10000006:1] JPEG response detected - Footer
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57199


*** abnormal JPEG file detection log ***

03/20-17:53:46.793983  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.795683  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.795720  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.795757  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
...[snip]...
03/20-17:53:46.796195  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.796233  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.796271  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202
03/20-17:53:46.796308  [**] [1:10000007:1] Abnormal JPEG response detected
[**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> ->
10.10.10.238:57202


This rules detect each fragmented packets, but I want to alert last
detection.

Please anyone advise to me?


Regards




Social being determines social consciousness, rather than social
consciousness determines social being  - Karl Marx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170321/0b114acf/attachment.html>


More information about the Snort-sigs mailing list