[Snort-users] A question in regards to rules, ACK and flow.

Jeremy Hoel jthoel at ...11827...
Wed Dec 4 19:55:28 EST 2013

Background - We have a snort sensor (IDS mode) sitting of a span port
on a switch that then goes to a Sourcefire and then outbound to the
internet.  Both the snort and the SF run the same set of VRT rules and
have configs with the same port definitions, but the SF is inline and
in blocking mode.

Today the SF picked up on sid:28538 "MALWARE-CNC Win.Trojan.Asprox
variant connection attempt". Only the SF picked up on it and dropped
it (as per the rule) but the snort sensor didn't. The rule exists on
the snort server and is enabled.

Looking at traffic that was captured on the snort sensor, you can see
the outbound data that the rule would pick up on
('Content-Disposition: form-data; name="key"; filename="key.bin"',
'Content-Type: multipart/form-data; boundary='  and the POST) but
there is never any ACK for the sent packet (beyond the handshake) from
the destination (since the SF is blocking it). If the packets are just
sent out, but no ACK is received, does snort not trigger on it since
it really can't complete a flow?

community.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET
[$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox variant
connection attempt"; flow:to_server,established; content:"User-Agent:
Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101
Firefox/23.0"; content:"Content-Disposition: form-data|3B|
name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only;
content:"Content-Disposition: form-data|3B| name=|22|data|22 3B|
filename=|22|data.bin|22|"; content:"Content-Type:
multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/";
metadata:impact_flag red, policy security-ips drop, ruleset community,
service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html;
classtype:trojan-activity; sid:28538; rev:1;)

More information about the Snort-users mailing list