[Snort-users] flow:established still broken in (was:FP shows snort- confused over packets and sessions)

Joel Esler jesler at ...1935...
Wed Jun 29 06:47:53 EDT 2011

Just a couple thoughts initially, I'll fwd this over to devel for them to look at as well.

Are you dropping packets?  I am wondering that, because maybe Snort tagged this as a midstream pickup or something.
Do you have a pcap?

As a rule writing note, "isset" flowbit checks generally should come before content.  I have no idea what this rule does though, but I'd want the flowbit check before the content in this case, as it's only a two byte match.  


On Jun 29, 2011, at 4:49 AM, Jason Haar wrote:

> Hi there
> We're still seeing the problem under where snort misclassified a packet in the middle of a TCP stream  as being the first packet and matches against that.
> e.g. we just had the following FP
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008056; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Inject; sid:2008056; rev:4;) 
> It has "flow:established" and 'content:"|07|F"; depth:2'. So that should mean it can only alert IFF the *first two bytes* of the tcp stream are '|07|F'. However, we had it trigger in the middle of a HTTPS session (via a proxy on port 3128 - which we've  defined as HTTP_PORTS). The packet it matched on was 1260 bytes in size and indeed began with those two bytes.
> We've seen this in earlier releases as well as Is this a known problem? I didn't get any feedback last time I brought this up
> Thanks
> Jason
> On 12/05/11 13:50, Jason Haar wrote:
>> On 10/05/11 19:42, rmkml wrote:
>>> Hi Jason,
>>> I suggest replace `depth:4;` to `http_method;`.
>>> Replace it's work on my test.
>>> I have another suggest, replace `isdataat:200,relative;` to
>>> `isdataat:200,relative; content:!"|0A|"; within:200;`.
>>> I have another another suggest, on pcre, replace `(?!\n)` to `(?!\r?\n)`.
>> I think your suggested changes make a lot of sense, but that wasn't
>> really my point. Why did a "depth:4" rule match *inside* a stream
>> instead of the *beginning* of a stream?
>>> Please upgrade to snort v2.9.0.5.
>> Is there a stream5 bug in that caused this? Changelog doesn't
>> show anything. My understanding of how snort merges packets into streams
>> is contradicted by this event: either my understanding is incorrect, or
>> there's a bug(?)
> -- 
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security 
> threats, fraudulent activity, and more. Splunk takes this data and makes 
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please see http://www.snort.org/docs for documentation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110629/adb60eae/attachment.html>

More information about the Snort-users mailing list