[Snort-sigs] Abnormal JPEG file detection rule

Jim McKibben jmckibben at ...4232...
Tue Mar 21 08:44:01 EDT 2017


Just an idea about the alert on last packet, you can do "log tcp
$EXTERNAL_NET any -> $HOME_NET any (msg...)" instead of "alert tcp..." and
that will cause a log entry on the IDS but no alert, should still set the
flowbits though. Then alert on a normal footer or lack there-of and/or some
other EOF bit.

I am only slightly experienced in snort rule writing, and what you are
doing with the stream5 preprocessor is outside my wheelhouse, keep up the
good work!

On Mon, Mar 20, 2017 at 7:55 PM, demantos(Cho Hoon) <demantos at ...2420...>
wrote:

> Hello,
>
> I want to detect normal/abnormal JPEG files.
>
> So, I write rule about detect abnormal JPEG files like below.
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected
> - Header"; content:"|FF D8 FF E0|"; offset:0; gid:1; sid:10000002; rev:001;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected
> - Footer"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset
> -2; content:"|FF D9|"; distance:0; within:2; gid:1; sid:10000003; rev:001;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response
> detected"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset
> -2; content:!"|FF D9|"; distance:0; within:2; gid:1; sid:10000004; rev:001;)
>
>
> This rules do not work well. As you know, this rule match jpeg
> header/footer pattern(content) to each fragmented packets.
>
> So, I try to using stream_reassemble options and flowbits options.
>
> I read https://www.snort.org/faq/readme-stream5.
>
> But, stream5 preprocessor limit reassemble packet size (paf_max: 63780
> byte)
>
> Anyway I write rule like below.
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected
> - Header"; flow:established; content:"|FF D8 FF E0|"; offset:0;
> flowbits:set,jpeg_detect; flowbits:noalert; stream_reassemble:enable,both;
> gid:1; sid:10000005; rev:001;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected
> - Footer"; flow:established; byte_jump:0,0,from_end,post_offset -2;
> content:"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect;
> stream_reassemble:enable,both; gid:1; sid:10000006; rev:001;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response
> detected"; flow:established; byte_jump:0,0,from_end,post_offset -2;
> content:!"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect;
> stream_reassemble:enable,both; gid:1; sid:10000007; rev:001;)
>
>
> *** normal JPEG file detection log ***
>
> 03/20-17:52:37.813831  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57199
> 03/20-17:52:37.815236  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57199
> 03/20-17:52:37.815265  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57199
> 03/20-17:52:37.815291  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57199
> ...[snip]...
> 03/20-17:52:37.819399  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57199
> 03/20-17:52:37.819434  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57199
> 03/20-17:52:37.819468  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57199
> 03/20-17:52:37.819496  [**] [1:10000006:1] JPEG response detected - Footer
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57199
>
>
> *** abnormal JPEG file detection log ***
>
> 03/20-17:53:46.793983  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57202
> 03/20-17:53:46.795683  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57202
> 03/20-17:53:46.795720  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57202
> 03/20-17:53:46.795757  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57202
> ...[snip]...
> 03/20-17:53:46.796195  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57202
> 03/20-17:53:46.796233  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57202
> 03/20-17:53:46.796271  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57202
> 03/20-17:53:46.796308  [**] [1:10000007:1] Abnormal JPEG response detected
> [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.
> 10.10.238:57202
>
>
> This rules detect each fragmented packets, but I want to alert last
> detection.
>
> Please anyone advise to me?
>
>
> Regards
>
>
>
>
> Social being determines social consciousness, rather than social
> consciousness determines social being  - Karl Marx
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>



-- 


<https://riskanalytics.com/>


*Jim McKibben*Security Analyst GSEC GWAPT
Office / 913-685-6588
Mobile / 573-424-4848
jmckibben at ...4232...

[image: RiskAnalytics] <https://riskanalytics.com/>  [image: Twitter]
<https://twitter.com/riskanalytics>  [image: LinkedIn]
<https://www.linkedin.com/company/riskanalytics-llc>  [image: Facebook]
<https://www.facebook.com/riskanalytics?fref=ts>

CONFIDENTIAL:
The information in this email (and any attachments) is confidential.  If
you are not the intended recipient, you must not read, use or disseminate
the information.  Please reply to the sender and take the steps necessary
to delete the message completely from your computer system.  Although this
email and any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it is
virus free and no responsibility is accepted by RiskAnalytics, LLC for any
loss or damage arising in any way from its use.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170321/b61645ac/attachment.html>


More information about the Snort-sigs mailing list