[Snort-users] base64 snort options

whliudunjun whliudunjun at ...7427...
Wed Jun 13 23:29:13 EDT 2012


Yes,this time,it workes,thanks very much.

At 2012-06-13 23:00:34,"Bhagya Bantwal" <bbantwal at ...1935...> wrote:
>Adding file_data before base64_decode should fire the alert you want..
>
>So change the second rule to:
>
>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"base64
>returned from outbound post";flow:to_client,established;
>flowbits:isset,badpost; content:"200"; http_stat_code;  file_data;
>base64_decode:relative; base64_data;
>content:"webmail.vigilante.dk";sid:10000089;)
>
>
>-B
>
>On Mon, Jun 11, 2012 at 10:55 PM, whliudunjun <whliudunjun at ...7427...> wrote:
>> should be like this:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious
>> outbound post"; flow:to_server,established; content:"POST"; http_method;
>> content:"index.php"; http_uri;flow
>> bits:set,badpost;flowbits:noalert;sid:10000088;)
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"base64 returned
>> from outbound post";flow:to_client,established; flowbits:isset,badpost;
>> content:"200"; http_stat_code;     content:"text/html";
>> base64_decode:relative; base64_data;
>> content:"webmail.vigilante.dk";sid:10000089;)
>>
>> But still can't detecte the given pcap traffic,seems the base64 decode
>> doesn't work?
>> At 2012-06-12 01:40:51,whliudunjun <whliudunjun at ...7427...> wrote:
>>
>> hi,Joel Esler,
>>   sorry for that I'm not familiar with the snort signature,i read the
>> snort_manual.pdf and read:3.6.10 flowbits
>> i use the signature you wrote ,it still didn't output any alert.
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious
>> outbound post"; flow:to_server,established; content:"POST"; http_method;
>> content:"index.php"; http_uri;flow
>> bits:set,badpost;flowbits:noalert;sid:10000088;)
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"base64 returned from outbound post"; flow:to_client,established;
>> flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html";
>> base64_decode:relative; base64_data;
>> content:"webmail.vigilante.dk";sid:10000089;)
>>
>> Thanks and best regards.
>>
>>
>> At 2012-06-11 20:32:00,"Joel Esler" <jesler at ...1935...> wrote:
>>><have not looked at pcap>
>>>
>>>You have to use both sigs I gave you below.
>>>
>>>
>>>On Jun 10, 2012, at 11:53 PM, whliudunjun wrote:
>>>
>>>>
>>>> Hi,Joel Esler,
>>>> Thanks for your quickly reply,here i will post my pcap :f43b7121dadb17ff057bfdbba9b0c18f.pcap and the snort -T output if that you can know what's my trouble,i still cant use any sig detected the said traffic,when i use:
>>>> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:10000043;rev:1;).
>>>> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>>>> snort -A fast -b -d -r f43b7121dadb17ff057bfdbba9b0c18f.pcap  -c /opt/snort/etc/test.conf
>>>>
>>>> nothing alert log.
>>>>
>>>> Thanks.
>>>>
>>>> At 2012-06-09 03:44:38,"Joel Esler" <jesler at ...1935...> wrote:
>>>> >alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;)
>>>> >
>>>> >alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:2;)
>>>> >
>>>> >or
>>>> >
>>>> >alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; base64_decode:relative; base64_data;  content:"varchar("; content:"cast("; distance:0; sid:3;)
>>>> >
>>>> >Actually the below won't work, the above should.
>>>> >
>>>> >
>>>> >On Jun 8, 2012, at 3:43 PM, Joel Esler wrote:
>>>> >
>>>> >> Maybe something like this:
>>>> >>
>>>> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;)
>>>> >>
>>>> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:2;)
>>>> >>
>>>> >> or
>>>> >>
>>>> >> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; base64_decode:relative; base64_data;  content:"varchar("; content:"cast("; distance:0; sid:3;)
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> >> Note, I wrote those off the top of my head.  I didn't test them as I don't have a pcap of the traffic.
>>>> >>
>>>> >> --
>>>> >> Joel Esler
>>>> >> Senior Research Engineer, VRT
>>>> >> OpenSource Community Manager
>>>> >> Sourcefire
>>>> >>
>>>> >>
>>>> >> On Jun 8, 2012, at 2:05 AM, whliudunjun wrote:
>>>> >>
>>>> >>> when i use snort to scan pcap package,the net traffic like following:
>>>> >>>
>>>> >>> the traffic:---------------------------------------------------------------------------------------
>>>> >>> send:
>>>> >>> POST /metcon/index.php?id=73EEFFDBC2080030429BE52FA2866576 HTTP/1.1
>>>> >>> Content-Type: application/x-www-form-urlencoded
>>>> >>> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Axo 9.104.044 )
>>>> >>> Host: 178.157.202.31
>>>> >>> Content-Length: 4
>>>> >>> Cache-Control: no-cache
>>>> >>> INIT
>>>> >>> receive:
>>>> >>> HTTP/1.1 200 OK
>>>> >>> Date: Wed, 06 Jun 2012 09:58:00 GMT
>>>> >>> Server: Apache
>>>> >>> Vary: Accept-Encoding
>>>> >>> Content-Length: 2196
>>>> >>> Content-Type: text/html
>>>> >>> d2VibWFpbC52aWdpbGFudGUuZGs=#ODA=#MDAwMA==#L2luZGV4LnBocD9pZD0xJnR5cGU9YWxsJTI3ZGVjbGFyZSUyMEBzJTIwdmFyY2hhcig0MDAwKTtzZXQlMjBAcz1jYXN0KDB4NjQ2NTYzNkM2MTcyNjUyMDQwNzQyMDc2NjE3MjYzNjg2MTcyMjgzMjM1MzUyOTJDNDA2MzIwNzY2MTcyNjM2ODYxNzIyODMyMzUzNTI5MjA2NDY1NjM2QzYxNzI2NTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2Mzc1NzI3MzZGNzIyMDY2NkY3MjIwNzM2NTZDNjU2Mzc0MjA2MTJFNkU2MTZENjUyQzYyMkU2RTYxNkQ2NTIwNjY3MjZGNkQyMDczNzk3MzZGNjI2QTY1NjM3NDczMjA2MTJDNzM3OTczNjM2RjZDNzU2RDZFNzMyMDYyMjA3NzY4NjU3MjY1MjA2MTJFNjk2NDNENjIyRTY5NjQyMDYxNkU2NDIwNjEyRTc4NzQ3OTcwNjUzRDI3NzUyNzIwNjE2RTY0MjAyODYyMkU3ODc0Nzk3MDY1M0QzOTM5MjA2RjcyMjA2MjJFNzg3NDc5NzA2NTNEMzMzNTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMyMzMzMTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMxMzYzNzI5MjA2RjcwNjU2RTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2NjY1NzQ2MzY4MjA2RTY1Nzg3NDIwNjY3MjZGNkQyMDc0NjE2MjZDNjU1RjYzNzU3MjczNkY3MjIwNjk2RTc0NkYyMDQwNzQyQzQwNjMyMDc3Njg2OTZDNjUyODQwNDA2NjY1NzQ2MzY4NUY3Mzc0NjE3NDc1NzMzRDMwMjkyMDYyNjU2NzY5NkUyMDY1Nzg2NTYzMjgyNzc1NzA2NDYxNzQ2NTIwNUIyNzJCNDA3NDJCMjc1RDIwNzM2NTc0MjA1QjI3MkI0MDYzMkIyNzVEM0Q3Mjc0NzI2OTZEMjg2MzZGNkU3NjY1NzI3NDI4NzY2MTcyNjM2ODYxNzIyODM0MzAzMDMwMjkyQzVCMjcyQjQwNjMyQjI3NUQyOTI5MkI2MzYxNzM3NDI4MzA3ODMzNjMzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMjMwMzczMzM3MzIzNjMzMzM2NDMyMzIzNjM4MzczNDM3MzQzNzMwMzM2MTMyNjYzMjY2MzY2NTM2MzEzNjM0MzY2MTM2NjMzNzMwMzY2NjM2MzkzNzMxMzczNzM2MzUzNjM0MzI2NTM3MzUzNjMxMzI2NjM2NjEzNzMzMzI2NTM3MzAzNjM4MzczMDMzNjYzNzMzMzYzOTM2MzQzMzY0MzMzMjMyMzIzMjMwMzczNzM2MzkzNjM0MzczNDM2MzgzMzY0MzIzMjMzMzAzMjMyMzIzMDM2MzgzNjM1MzYzOTM2MzczNjM4MzczNDMzNjQzMjMyMzMzMDMyMzIzMjMwMzczMzM3MzQzNzM5MzY2MzM2MzUzMzY0MzIzMjM2MzQzNjM5MzczMzM3MzAzNjYzMzYzMTM3MzkzMzYxMzY2NTM2NjYzNjY1MzYzNTMyMzIzMzY1MzM2MzMyNjYzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMzY1MjA2MTczMjA3NjYxNzI2MzY4NjE3MjI4MzEzMDM2MjkyOTI3MjkyMDY2NjU3NDYzNjgyMDZFNjU3ODc0MjA2NjcyNkY2RDIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2OTZFNzQ2RjIwNDA3NDJDNDA2MzIwNjU2RTY0MjA2MzZDNkY3MzY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMDY0NjU2MTZDNkM2RjYzNjE3NDY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMCUyMGFzJTIwdmFyY2hhcig0MDAwKSk7ZXhlYyhAcyk7LS0=#X19fXw==#TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNS4xKSBBcHBsZVdlYktpdC81MzUuMTkgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTguMC4xMDI1LjE2MiBTYWZhcmkvNTM1LjE5##fDgxMw==#
>>>> >>>
>>>> >>> end-------------------------------------------------------------------------------------------------------------------------------------------------------
>>>> >>>
>>>> >>> base64:
>>>> >>> d2VibWFpbC52aWdpbGFudGUuZGs=#
>>>> >>> ascii:webmail.vigilante.dk
>>>> >>>
>>>> >>> the receive data is encode using base64,so i write a snort rules to detected it:
>>>> >>> 41 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Trojan SQL injection code receive"; flow:to_client,established;content:"HTTP/1.1 200 OK";content:"webmail.vigilante.dk";clas    stype:trojan-activity; sid:10000043; rev:1;)
>>>> >>>
>>>> >>> why this sig can't detect above traffic,is there anyone can tell me why?or i write rules at a wrong way,or i need to open some config option.
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>> ------------------------------------------------------------------------------
>>>> >>> Live Security Virtual Conference
>>>> >>> Exclusive live event will cover all the ways today's security and
>>>> >>> threat landscape has changed and how IT managers can respond. Discussions
>>>> >>> will include endpoint security, mobile security and the latest in malware
>>>> >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
>>>> >>> Snort-users mailing list
>>>> >>> Snort-users at lists.sourceforge.net
>>>> >>> Go to this URL to change user options or unsubscribe:
>>>> >>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> >>> Snort-users list archive:
>>>> >>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>> >>>
>>>> >>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>> >>
>>>> >
>>>>
>>>>
>>>>
>>>> <pcap.zip>
>>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120614/6534024c/attachment.html>


More information about the Snort-users mailing list