[Snort-users] Flowbits and rule ordering issue

Leach, Rob M (NAM E) rob.leach at ...6725...
Wed Feb 8 14:59:37 EST 2012


Hello Snort-Users!

  I am having some issues making a flowbits "set" operation be recognized on the first packet of a UDP stream.  Specifically, I set a flag called 'acme_noalert' and have all the firewall verification rules check issnotset:acme_noalert.

  When the first packet of a flow comes in, three rules seem to trigger:
     1) Base RPC-Decode informational rules  -- prints output
     2) The (flowbits:set,acme_noalert) rule -- no print
     3) The fw-verify "invalid port" rule  -- prints output (acme_noalert isn't set?)

  When each subsequent packet of a flow comes in, the same three rules trigger:
     1) Base RPC-Decode informational stuff -- sometimes prints
     2) The (flowbits:set,acme_noalert) rule -- no print, no net effect
     3) The fw-verify "invalid port" rule -- no print (acme_noalert has been set)

  Is it possible to force snort to evaluate rule (2) before rule (3)?  Is there some other way of flagging the flow for my other rules?



  Below is a sanitized set of vars, rules, and example "before" and "after" logfiles.

  I have an example .pcap file that triggers the issue, but am unsure how to distribute it to the users list.  (Please let me know what I should do to distribute it.)

  Also, let me know if I should instead re-send this mail with attachments instead of inline text.


Thanks,
-Rob

~~~~~~snort.conf additions~~~~~
#######################################
# Example rules
#######################################

###### HOSTS
var ACME_HOST_TYPE_GREEN [192.168.1.11]

var ACME_HOST_TYPE_ORANGE [192.168.1.22]

# All ACME AIX hosts
var ACME_HOST_ALL_AIX [192.168.1.11,192.168.1.22]

###### PORTS
# AIX ports which are bindable only by root
portvar ACME_PORTS_AIX_ROOT_RESV [1:1023]

# Note: Default ephemeral port range restricted by ACME
portvar ACME_PORTS_AIX_EPHEMERAL [58535:65535]

# Portmapper-111 NFS-2049  LowEphemeral--58535:58555
portvar ACME_PORTS_AIX_PORTMAPPED_SVCS [111,2049,58535:58555]

#### Verify-firewall ports
portvar ACME_PORTS_GREENAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535]

portvar ACME_PORTS_ORANGEAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535]

##****************************************************************
##*  Insert the following include afer the last "include" statement in snort.conf
##****************************************************************
include $RULE_PATH/acme-noalert.rules

include $RULE_PATH/acme-verify-firewall.rules


~~~~~~~$RULE_PATH/acme-noalert.rules ~~~~~~~
##### ---- Begin custom non-generated pre-base rules ---- #####
# Mark as "acme_noalert" -- allows other rules to alert on suspicious traffic
# UDP Portmapper - both directions, just in case

alert udp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX 111 (flowbits:set,acme_noalert; flowbits:noalert; sid:88001;)
alert udp $ACME_HOST_ALL_AIX 111 -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV (flowbits:set,acme_noalert; flowbits:noalert; sid:88002;)

# TCP Portmapped Services - ONE direction
alert tcp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_PORTMAPPED_SVCS (flowbits:set,acme_noalert; flowbits:noalert; sid:88003;)

~~~~~~~$RULE_PATH/acme-verify-firewall.rules ~~~~~~~
alert udp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC UDP port for GREEN AIX";classtype:misc-attack; sid:89001; rev:1;)
alert tcp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC TCP port for GREEN AIX";classtype:misc-attack; sid:89002; rev:1;)

alert udp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST UDP port for GREEN AIX";classtype:misc-attack; sid:89003; rev:1;)
alert tcp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST TCP port for GREEN AIX";classtype:misc-attack; sid:89004; rev:1;)

alert udp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC UDP port for ORANGE AIX";classtype:misc-attack; sid:89011; rev:1;)
alert tcp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC TCP port for ORANGE AIX";classtype:misc-attack; sid:89012; rev:1;)

alert udp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST UDP port for ORANGE AIX";classtype:misc-attack; sid:89013; rev:1;)
alert tcp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST TCP port for ORANGE AIX";classtype:misc-attack; sid:89014; rev:1;)

~~~~~~~~ EXAMPLE LOG WITH acme-noalert.rules ENABLED ~~~~~~~~
02/07-08:11:34.803555  [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803555  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111

~~~~~~~~ EXAMPLE LOG WITHOUT acme-noalert.rules ~~~~~~~~~~~~~
02/07-08:11:34.803555  [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803555  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111
02/07-08:11:34.803849  [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:807
02/07-08:11:34.804600  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.804758  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.804803  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.804955  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805001  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.805151  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805803  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808
02/07-08:11:34.805848  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535
02/07-08:11:34.807006  [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807006  [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111
02/07-08:11:34.807308  [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:809
02/07-08:11:34.807993  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808099  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808212  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808329  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808422  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
02/07-08:11:34.808547  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808554  [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810
02/07-08:11:34.808749  [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120208/8571b3d5/attachment.html>


More information about the Snort-users mailing list