[Snort-users] A question on flows with pcaps

Will Metcalf william.metcalf at ...11827...
Wed Aug 8 13:16:10 EDT 2012


If you leave flow:established,to_client; and pass "-k none" as a
command line option does it fire?  If so you probably need to disable
checksum offloading on your nic...

http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html

Regards,

Will

On Wed, Aug 8, 2012 at 11:57 AM, James Lay <jlay at ...13475...> wrote:
> Hey all,
>
> So...I saw this rule posted this morning:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS Blackhole Specific JavaScript Replace hwehes - 8th August
> 2012"; flow:established,to_client; file_data;
> content:".replace(/hwehes/g"; fast_pattern:only;
> classtype:trojan-activity; sid:139994; rev:1;)
>
> I have a packet capture that I wanted to test the above on:
>
>    1 2012-08-08 09:15:00.775111    10.21.0.9 -> 96.126.109.182 TCP 74
> 35498 > 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1
> TSval=145666377 TSecr=0 WS=16
>    2 2012-08-08 09:15:00.846374 96.126.109.182 -> 10.21.0.9    TCP 74 80
>  > 35498 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1380 SACK_PERM=1
> TSval=78463678 TSecr=145666377 WS=64
>    3 2012-08-08 09:15:00.846403    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=145666395
> TSecr=78463678
>    4 2012-08-08 09:15:00.846525    10.21.0.9 -> 96.126.109.182 HTTP 276
> GET /tid6mian.php?q=141afc4be54689c9 HTTP/1.1
>    5 2012-08-08 09:15:00.917513 96.126.109.182 -> 10.21.0.9    TCP 66 80
>  > 35498 [ACK] Seq=1 Ack=211 Win=15552 Len=0 TSval=78463750
> TSecr=145666395
>    6 2012-08-08 09:15:01.880144 96.126.109.182 -> 10.21.0.9    TCP 1561
> [TCP segment of a reassembled PDU]
>    7 2012-08-08 09:15:01.880171    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [ACK] Seq=211 Ack=1496 Win=17600 Len=0 TSval=145666654
> TSecr=78464712
>    8 2012-08-08 09:15:01.880251 96.126.109.182 -> 10.21.0.9    TCP 1521
> [TCP segment of a reassembled PDU]
>    <a lot more ACK's>
> 113 2012-08-08 09:15:02.278602 96.126.109.182 -> 10.21.0.9    HTTP 775
> HTTP/1.1 200 OK  (text/html)
> 114 2012-08-08 09:15:02.278611    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666753
> TSecr=78465110
> 115 2012-08-08 09:15:02.279393    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [FIN, ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666754
> TSecr=78465110
> 116 2012-08-08 09:15:02.350151 96.126.109.182 -> 10.21.0.9    TCP 66 80
>  > 35498 [FIN, ACK] Seq=90560 Ack=212 Win=15552 Len=0 TSval=78465182
> TSecr=145666754
> 117 2012-08-08 09:15:02.350174    10.21.0.9 -> 96.126.109.182 TCP 66
> 35498 > 80 [ACK] Seq=212 Ack=90561 Win=68640 Len=0 TSval=145666771
> TSecr=78465182
>
> I basically packet captured a wget of the above link.  Now...when I
> test this against this rule, it doesn't fire...UNLESS I remove the
> flow:established,to_client.  Is there a reason I have to do that?  My
> home and not home net settings below:
>
> ipvar HOME_NET [10.0.0.0/8]
> ipvar EXTERNAL_NET !$HOME_NET
>
> Thanks for any assistance.
>
> James
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list