[Snort-users] A question on flows with pcaps

James Lay jlay at ...13475...
Wed Aug 8 12:57:26 EDT 2012


Hey all,

So...I saw this rule posted this morning:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
CURRENT_EVENTS Blackhole Specific JavaScript Replace hwehes - 8th August 
2012"; flow:established,to_client; file_data; 
content:".replace(/hwehes/g"; fast_pattern:only; 
classtype:trojan-activity; sid:139994; rev:1;)

I have a packet capture that I wanted to test the above on:

   1 2012-08-08 09:15:00.775111    10.21.0.9 -> 96.126.109.182 TCP 74 
35498 > 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 
TSval=145666377 TSecr=0 WS=16
   2 2012-08-08 09:15:00.846374 96.126.109.182 -> 10.21.0.9    TCP 74 80 
 > 35498 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1380 SACK_PERM=1 
TSval=78463678 TSecr=145666377 WS=64
   3 2012-08-08 09:15:00.846403    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=145666395 
TSecr=78463678
   4 2012-08-08 09:15:00.846525    10.21.0.9 -> 96.126.109.182 HTTP 276 
GET /tid6mian.php?q=141afc4be54689c9 HTTP/1.1
   5 2012-08-08 09:15:00.917513 96.126.109.182 -> 10.21.0.9    TCP 66 80 
 > 35498 [ACK] Seq=1 Ack=211 Win=15552 Len=0 TSval=78463750 
TSecr=145666395
   6 2012-08-08 09:15:01.880144 96.126.109.182 -> 10.21.0.9    TCP 1561 
[TCP segment of a reassembled PDU]
   7 2012-08-08 09:15:01.880171    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [ACK] Seq=211 Ack=1496 Win=17600 Len=0 TSval=145666654 
TSecr=78464712
   8 2012-08-08 09:15:01.880251 96.126.109.182 -> 10.21.0.9    TCP 1521 
[TCP segment of a reassembled PDU]
   <a lot more ACK's>
113 2012-08-08 09:15:02.278602 96.126.109.182 -> 10.21.0.9    HTTP 775 
HTTP/1.1 200 OK  (text/html)
114 2012-08-08 09:15:02.278611    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666753 
TSecr=78465110
115 2012-08-08 09:15:02.279393    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [FIN, ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666754 
TSecr=78465110
116 2012-08-08 09:15:02.350151 96.126.109.182 -> 10.21.0.9    TCP 66 80 
 > 35498 [FIN, ACK] Seq=90560 Ack=212 Win=15552 Len=0 TSval=78465182 
TSecr=145666754
117 2012-08-08 09:15:02.350174    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [ACK] Seq=212 Ack=90561 Win=68640 Len=0 TSval=145666771 
TSecr=78465182

I basically packet captured a wget of the above link.  Now...when I 
test this against this rule, it doesn't fire...UNLESS I remove the 
flow:established,to_client.  Is there a reason I have to do that?  My 
home and not home net settings below:

ipvar HOME_NET [10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET

Thanks for any assistance.

James




More information about the Snort-users mailing list