[Snort-users] A question in regards to rules, ACK and flow.

Jeremy Hoel jthoel at ...11827...
Thu Dec 5 01:03:47 EST 2013


Yes, passive mode.  I just wanted to make sure that there was a reason
why the alert wasn't showing even though it saw the packets.

Thank you.

On Wed, Dec 4, 2013 at 8:52 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
> Depends on which mode you are running in "inline" mode or "passive" mode.  Looks like you are running in passive on your Snort instance, so, no.
>
> --
> Joel Esler
> Intelligence Lead
> Open Source Manager
> Vulnerability Research Team
>
> Sent from my iPhone.
>
>> On Dec 4, 2013, at 19:57, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>>
>> Background - We have a snort sensor (IDS mode) sitting of a span port
>> on a switch that then goes to a Sourcefire and then outbound to the
>> internet.  Both the snort and the SF run the same set of VRT rules and
>> have configs with the same port definitions, but the SF is inline and
>> in blocking mode.
>>
>> Today the SF picked up on sid:28538 "MALWARE-CNC Win.Trojan.Asprox
>> variant connection attempt". Only the SF picked up on it and dropped
>> it (as per the rule) but the snort sensor didn't. The rule exists on
>> the snort server and is enabled.
>>
>> Looking at traffic that was captured on the snort sensor, you can see
>> the outbound data that the rule would pick up on
>> ('Content-Disposition: form-data; name="key"; filename="key.bin"',
>> 'Content-Type: multipart/form-data; boundary='  and the POST) but
>> there is never any ACK for the sent packet (beyond the handshake) from
>> the destination (since the SF is blocking it). If the packets are just
>> sent out, but no ACK is received, does snort not trigger on it since
>> it really can't complete a flow?
>>
>> community.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET
>> [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox variant
>> connection attempt"; flow:to_server,established; content:"User-Agent:
>> Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101
>> Firefox/23.0"; content:"Content-Disposition: form-data|3B|
>> name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only;
>> content:"Content-Disposition: form-data|3B| name=|22|data|22 3B|
>> filename=|22|data.bin|22|"; content:"Content-Type:
>> multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/";
>> metadata:impact_flag red, policy security-ips drop, ruleset community,
>> service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html;
>> classtype:trojan-activity; sid:28538; rev:1;)
>>
>> ------------------------------------------------------------------------------
>> Sponsored by Intel(R) XDK
>> Develop, test and display web and hybrid apps with a single code base.
>> Download it for free now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list