[Snort-users] A question in regards to rules, ACK and flow.

Joel Esler (jesler) jesler at ...589...
Wed Dec 4 22:52:33 EST 2013


Depends on which mode you are running in "inline" mode or "passive" mode.  Looks like you are running in passive on your Snort instance, so, no. 

--
Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team

Sent from my iPhone.  

> On Dec 4, 2013, at 19:57, "Jeremy Hoel" <jthoel at ...11827...> wrote:
> 
> Background - We have a snort sensor (IDS mode) sitting of a span port
> on a switch that then goes to a Sourcefire and then outbound to the
> internet.  Both the snort and the SF run the same set of VRT rules and
> have configs with the same port definitions, but the SF is inline and
> in blocking mode.
> 
> Today the SF picked up on sid:28538 "MALWARE-CNC Win.Trojan.Asprox
> variant connection attempt". Only the SF picked up on it and dropped
> it (as per the rule) but the snort sensor didn't. The rule exists on
> the snort server and is enabled.
> 
> Looking at traffic that was captured on the snort sensor, you can see
> the outbound data that the rule would pick up on
> ('Content-Disposition: form-data; name="key"; filename="key.bin"',
> 'Content-Type: multipart/form-data; boundary='  and the POST) but
> there is never any ACK for the sent packet (beyond the handshake) from
> the destination (since the SF is blocking it). If the packets are just
> sent out, but no ACK is received, does snort not trigger on it since
> it really can't complete a flow?
> 
> community.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET
> [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox variant
> connection attempt"; flow:to_server,established; content:"User-Agent:
> Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101
> Firefox/23.0"; content:"Content-Disposition: form-data|3B|
> name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only;
> content:"Content-Disposition: form-data|3B| name=|22|data|22 3B|
> filename=|22|data.bin|22|"; content:"Content-Type:
> multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/";
> metadata:impact_flag red, policy security-ips drop, ruleset community,
> service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html;
> classtype:trojan-activity; sid:28538; rev:1;)
> 
> ------------------------------------------------------------------------------
> Sponsored by Intel(R) XDK 
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list