[Snort-users] Payload not fitting rule content detection on snort + snorby

Txalin txalin at ...11827...
Mon Sep 7 03:45:52 EDT 2015


First of all let me say hi to this mailing list as this is my first message
here :) and quickly introduce myself, i'm a spaniard security freak now
dealing with snort + tons of other things and tools.

Right now i am running a snort v 2.9.6.2 GRE + barnyard2 v2.1.13 build 327
+ Snorby 2.6.2 with ET pro, community and several custom rules, and i have
detected several times an strange behavior in snort.

When one rule has been triggered, sometimes i found that the data in the
payload field doesn't match with the detecction patterns in the rule, let
me show you and example:

# cat snort.rules | grep "MALWARE-TOOLS Win.Trojan.Dridex dropper message"
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS
Win.Trojan.Dridex dropper message"; flow:to_server,established; file_data;
content:"X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, service smtp; reference:url,
www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/;
classtype:trojan-activity; sid:34945; rev:1;)


The payload shown on Snorby is:

Return-Path:.<envio.eletronico.cte at ...11827...>
.Received:.from.[1.1.1.1].by.server.mailprovider.com.id.94/98-03819-BCE0AE55;.Fri,.04.Sep.2015.21:36:11.+0000
.X-Env-Sender:.envio.eletronico.cte at ...11827...
.X-Msg-Ref:.server.mailprovider.com!1441402569!47224666!1
.X-Originating-IP:.[2.2.2.2]
.X-SpamReason:.No,.hits=0.0.required=7.0.tests=SUBJECT_EXCESS_QP
.X-StarScan-Received:
.X-StarScan-Version:.6.13.16;.banners=-,-,-
.X-VirusChecked:.Checked
.Received:.(qmail.1237.invoked.from.network);.4.Sep.2015.21:36:09.-0000
.Received:.from.mail-qk0-f172.google.com.(HELO.mail-qk0-f172.google.com
).(2.2.2.2)
...by.server.mailprovider.com.with.RC4-SHA.encrypted.SMTP;.4.Sep.2015.21:36:09.-0000
.Received:.by.qkdv1.with.SMTP.id.v1so14169723qkd.0
.........for.<cte at ...17300...>;.Fri,.04.Sep.2015.14:36:09.-0700.(PDT)
.DKIM-Signature:.v=1;.a=rsa-sha256;.c=relaxed/relaxed;
.........d=gmail.com;.s=20120113;
.........h=message-id:from:to:subject:date:mime-version:reply-to:content-type
..........:content-description;
.........bh=vVNiQkcbDuIiHCOOoLSG5c8UydaAvY8BiM5JM7lmFt8=;
.........b=MP/tJcqgJ4tn5zaVJbis3NaM34oAsBVrcWfTz+F2jlBnLNpEl2sPFQkrLXGBOFjO8a
..........ns2w6shY+ySFWRQcR2D9lYdht0TK5CTWeXxsW0I3WURt+k7BGC8kQEvTipuQmsQ68C/g
..........xDuihRZt/j/qP0rKX7tnuiboWQxbEqEVYWpoPuGJUUiBVo/BNlgMwRaeScC/Ol+k6rPT
..........lWQvdEEdPfTcsRDDaTLxsPBqbM7Flmir06+4X9gbX/m0mDTArCmogEXgYUsV7kPdo1VC
..........li

As you can see in the payload, the pattern "X-mailer: Synapse - Pascal
TCP/IP library by Lukas Gebauer" is not being shown in the payload, which
makes me think in two possibilities:

a) Snorby is not showing all the payload data
b) Snort is not forwarding all the data to Snorby.

Did someone here found similar behavior? Any hints about the cause of it
and how to fix it? I was looking for a configuration file where i can
modify the payload size but i didn't found anything yet.

Kind regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150907/2696388b/attachment.html>


More information about the Snort-users mailing list