[Snort-users] A question in regards to rules, ACK and flow.

Joel Esler (jesler) jesler at ...589...
Wed Dec 4 22:52:33 EST 2013

Depends on which mode you are running in "inline" mode or "passive" mode.  Looks like you are running in passive on your Snort instance, so, no. 

Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team

Sent from my iPhone.  

> On Dec 4, 2013, at 19:57, "Jeremy Hoel" <jthoel at ...11827...> wrote:
> Background - We have a snort sensor (IDS mode) sitting of a span port
> on a switch that then goes to a Sourcefire and then outbound to the
> internet.  Both the snort and the SF run the same set of VRT rules and
> have configs with the same port definitions, but the SF is inline and
> in blocking mode.
> Today the SF picked up on sid:28538 "MALWARE-CNC Win.Trojan.Asprox
> variant connection attempt". Only the SF picked up on it and dropped
> it (as per the rule) but the snort sensor didn't. The rule exists on
> the snort server and is enabled.
> Looking at traffic that was captured on the snort sensor, you can see
> the outbound data that the rule would pick up on
> ('Content-Disposition: form-data; name="key"; filename="key.bin"',
> 'Content-Type: multipart/form-data; boundary='  and the POST) but
> there is never any ACK for the sent packet (beyond the handshake) from
> the destination (since the SF is blocking it). If the packets are just
> sent out, but no ACK is received, does snort not trigger on it since
> it really can't complete a flow?
> community.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET
> [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox variant
> connection attempt"; flow:to_server,established; content:"User-Agent:
> Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101
> Firefox/23.0"; content:"Content-Disposition: form-data|3B|
> name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only;
> content:"Content-Disposition: form-data|3B| name=|22|data|22 3B|
> filename=|22|data.bin|22|"; content:"Content-Type:
> multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/";
> metadata:impact_flag red, policy security-ips drop, ruleset community,
> service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html;
> classtype:trojan-activity; sid:28538; rev:1;)
> ------------------------------------------------------------------------------
> Sponsored by Intel(R) XDK 
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list