[Snort-users] flow:established still broken in 2.9.0.5? (was:FP shows snort-2.9.0.3 confused over packets and sessions)

Matthew Jonkman jonkman at ...15020...
Wed Jun 29 07:07:16 EDT 2011


On Jun 29, 2011, at 6:47 AM, Joel Esler wrote:

> Just a couple thoughts initially, I'll fwd this over to devel for them to look at as well.
> 
> Are you dropping packets?  I am wondering that, because maybe Snort tagged this as a midstream pickup or something.
> Do you have a pcap?
> 
> 
> As a rule writing note, "isset" flowbit checks generally should come before content.  I have no idea what this rule does though, but I'd want the flowbit check before the content in this case, as it's only a two byte match.  
> 


Thanks for checking on the above Joel, thats something that's been killing me over the years but I thought it was expected behavior... 

On the flowbits though: I think we had a discussion here a while ago (years perhaps) that flowbits were checked AFTER all content matching, just before the alert stage. So order would be irrelevant in the rule, no?

That came around when we were trying to get performance gains by using flowbits to avoid costly content checks, but in the end it didn't help, it only prevented events, not load.

Thanks!

Matt

> J
> 
> On Jun 29, 2011, at 4:49 AM, Jason Haar wrote:
> 
>> Hi there
>> 
>> We're still seeing the problem under 2.9.0.5 where snort misclassified a packet in the middle of a TCP stream  as being the first packet and matches against that.
>> 
>> e.g. we just had the following FP
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008056; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Inject; sid:2008056; rev:4;) 
>> 
>> 
>> It has "flow:established" and 'content:"|07|F"; depth:2'. So that should mean it can only alert IFF the *first two bytes* of the tcp stream are '|07|F'. However, we had it trigger in the middle of a HTTPS session (via a proxy on port 3128 - which we've  defined as HTTP_PORTS). The packet it matched on was 1260 bytes in size and indeed began with those two bytes.
>> 
>> We've seen this in earlier releases as well as 2.9.0.5. Is this a known problem? I didn't get any feedback last time I brought this up
>> 
>> Thanks
>> 
>> Jason
>> 
>> 
>> On 12/05/11 13:50, Jason Haar wrote:
>>> 
>>> On 10/05/11 19:42, rmkml wrote:
>>>> Hi Jason,
>>>> I suggest replace `depth:4;` to `http_method;`.
>>>> Replace it's work on my test.
>>>> I have another suggest, replace `isdataat:200,relative;` to
>>>> `isdataat:200,relative; content:!"|0A|"; within:200;`.
>>>> I have another another suggest, on pcre, replace `(?!\n)` to `(?!\r?\n)`.
>>> I think your suggested changes make a lot of sense, but that wasn't
>>> really my point. Why did a "depth:4" rule match *inside* a stream
>>> instead of the *beginning* of a stream?
>>> 
>>>> Please upgrade to snort v2.9.0.5.
>>> Is there a stream5 bug in 2.9.0.3 that caused this? Changelog doesn't
>>> show anything. My understanding of how snort merges packets into streams
>>> is contradicted by this event: either my understanding is incorrect, or
>>> there's a bug(?)
>>> 
>>>  
>>> 
>> 
>> -- 
>> Cheers
>> 
>> Jason Haar
>> Information Security Manager, Trimble Navigation Ltd.
>> Phone: +64 3 9635 377 Fax: +64 3 9635 417
>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security 
>> threats, fraudulent activity, and more. Splunk takes this data and makes 
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please see http://www.snort.org/docs for documentation
> 
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security 
> threats, fraudulent activity, and more. Splunk takes this data and makes 
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110629/eba37fb7/attachment.html>


More information about the Snort-users mailing list