[Snort-users] flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions)

Jason Haar Jason.Haar at ...294...
Wed Jun 29 04:49:30 EDT 2011


Hi there

We're still seeing the problem under 2.9.0.5 where snort misclassified a
packet in the middle of a TCP stream  as being the first packet and
matches against that.

e.g. we just had the following FP

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32.Inject.ajq Initial Checkin to CnC packet 2";
flow:established,to_server; content:"|07|F"; depth:2;
flowbits:isset,ET.inj.ajq.1; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2008056;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Inject;
sid:2008056; rev:4;)


It has "flow:established" and 'content:"|07|F"; depth:2'. So that should
mean it can only alert IFF the *first two bytes* of the tcp stream are
'|07|F'. However, we had it trigger in the middle of a HTTPS session
(via a proxy on port 3128 - which we've  defined as HTTP_PORTS). The
packet it matched on was 1260 bytes in size and indeed began with those
two bytes.

We've seen this in earlier releases as well as 2.9.0.5. Is this a known
problem? I didn't get any feedback last time I brought this up

Thanks

Jason


On 12/05/11 13:50, Jason Haar wrote:
> On 10/05/11 19:42, rmkml wrote:
>> Hi Jason,
>> I suggest replace `depth:4;` to `http_method;`.
>> Replace it's work on my test.
>> I have another suggest, replace `isdataat:200,relative;` to
>> `isdataat:200,relative; content:!"|0A|"; within:200;`.
>> I have another another suggest, on pcre, replace `(?!\n)` to `(?!\r?\n)`.
> I think your suggested changes make a lot of sense, but that wasn't
> really my point. Why did a "depth:4" rule match *inside* a stream
> instead of the *beginning* of a stream?
>
>> Please upgrade to snort v2.9.0.5.
> Is there a stream5 bug in 2.9.0.3 that caused this? Changelog doesn't
> show anything. My understanding of how snort merges packets into streams
> is contradicted by this event: either my understanding is incorrect, or
> there's a bug(?)
>
>  
>

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110629/159fc81b/attachment.html>


More information about the Snort-users mailing list