[Snort-users] flowbits - checking multiple bits being set to create alerting

Eoin Miller eoin.miller at ...14586...
Wed Jun 15 14:04:17 EDT 2011


On 6/14/2011 4:37 PM, Patrick Mullen wrote:
> Eoin,
>
> Could you send a pcap and the three rules (the rule below and the two
> flowbit setting rules) to me that demonstrate this behavior?  If what
> you describe is correct, this is a bug and we need to correct it.  The
> way the rules language works, the flowbit checks as described below
> should be an AND-type series of checks.
>
>
> Thanks,
>
> ~Patrick
Patrick,

Thanks for looking into this and confirming the behavior . After a 
little more testing, I think I am mistaken/being an idiot. I guess when 
you have a rule only check for the existence of the two flowbits being 
set and nothing else whatsoever, then it just logs every packet in the 
tagged session. When that session turns out to get combined with HTTP 
pipelining, then I didn't understand why it was firing. I've got things 
more squared away and hopefully.

#
#
# Setting EXE flowbit:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or 
DLL Windows file download"; flow: established; content:"MZ"; isdataat: 
76,relative; content:"This program cannot be run in DOS mode."; 
distance: 0; isdataat: 10,relat
ive; content:"PE"; distance: 0; flowbits:set,ET.http.binary; 
classtype:policy-violation; 
reference:url,doc.emergingthreats.net/bin/view/Main/2000419; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Down
loads; sid:2000419; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE 
Install Windows file download"; flow: established; content:"MZ"; 
isdataat: 76,relative; content:"This program must be "; distance: 0; 
isdataat: 140,relative; content:"PE
"; distance: 0; flowbits:set,ET.http.binary; classtype:policy-violation; 
reference:url,www.program-transformation.org/Transform/PcExeFormat; 
reference:url,doc.emergingthreats.net/bin/view/Main/2000427; 
reference:url,www.emergingthreats.n
et/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; sid:2000427; 
rev:12;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY 
Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; 
flowbits:isnotset,ET.http.binary; content:"HTTP/1"; depth:6; 
content:"Content-Type|3a| application
/"; nocase; http_header; flowbits:noalert; flowbits:set,ET.http.binary; 
classtype:not-suspicious; reference:url,doc.emergingthreats.net/2007670; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Small_Binary_Dow
nloads; sid:2007670; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or 
DLL Windows file download (2)"; flow:established; content:"MZ"; 
isdataat:76,relative; content:"Windows Program"; distance:0; 
isdataat:10,relative; content:"PE"; dista
nce:0; flowbits:set,ET.http.binary; classtype:policy-violation; 
reference:url,doc.emergingthreats.net/2010869; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Binary_Downloads; 
sid:2010869; rev:2;)
#
#
# Setting Java Client flowbit:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST Java 
Client HTTP Request"; content:" Java/1."; http_header; 
flowbits:set,ET.http.javaclient; classtype:misc-activity; sid:7000015; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST 
Vulnerable Java Version 1.5.x Detected"; 
flowbits:isset,ET.http.javaclient; content:" Java/1.5."; http_header; 
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset
,ET.http.javaclient; classtype:bad-unknown; sid:7000016; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST 
Vulnerable Java Version 1.6.x Detected"; 
flowbits:isset,ET.http.javaclient; content:" Java/1.6.0_"; http_header; 
pcre:"/Java\/1.6.0_([0-1][0-9]|2[0-3])/"; flowbits:set,E
T.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient; 
classtype:bad-unknown; sid:7000017; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AOL TEST 
Vulnerable Java Version 1.4.x Detected"; 
flowbits:isset,ET.http.javaclient; content:" Java/1.4."; http_header; 
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset
,ET.http.javaclient; classtype:bad-unknown; sid:7000018; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"AOL TEST 
Vulnerable Java Version EXE Download"; flowbits:isset,ET.http.binary; 
flowbits:isset,ET.http.javaclient.vulnerable; threshold:type limit,track 
by_src,count 1,seconds 5;
classtype:trojan-activity; sid:7000019; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"AOL TEST Java 
EXE Download"; flowbits:isset,ET.http.binary; 
flowbits:isset,ET.http.javaclient; threshold:type limit,track 
by_src,count 1,seconds 5; classtype:trojan-activity; sid
:7000020; rev:1;)

I added some thresholding with type limit and that seems to have squared 
away the problem in our testing environment. I'll be running these for 
the next few days and monitoring the output on the live stuff.

-- Eoin




More information about the Snort-users mailing list