[Snort-users] Mcafee IDS rule processing

Adrian Good itsa.aacgood at ...11827...
Tue Feb 16 22:47:10 EST 2016


Hi all,

I am attempting to troubleshoot a particular snort rule that has been added
to a custom attack set on our Mcafee IDS, and I am hoping that someone can
point me in the right direction.


The rule is below (sid:31229):
alert tcp any any -> any
[36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2578,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
(msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit
request"; flow:to_server,established; content:"/modules/";
fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U";
metadata:policy balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:31229; rev:1;)


The content from the PCAP is the following:
GET
http://player.ooyala.com/static/modules/start_screen-fc89fba4b9d2b24da65dad518a40ede5c8441d7deeb4bf33d0c2ca747bedb700.swf
HTTP/1.1
Host: player.ooyala.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
X-Requested-With: ShockwaveFlash/18.0.0.209
Accept: */*
Referer:
http://www.skynews.com.au/news/top-stories/2016/02/04/coalition-mps-seek-turnbull-tax-answers.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-AU,en;q=0.8
Cookie: BCSI-CS-c87fda4ff6f22bb5=2; BCSI-CS-8d18d10a705be693=2;
BCSI-CS-3d562a66fecc35f6=2


The kicker is that the IDS is showing a Translation Warning for this rule
which states - "Ignored snort option(s): fast_pattern".


Looking into the pcre regex I cant seem to get it to match what the full
HTTP GET request is (unless my regex troubleshooting is flawed), so I am
assuming that the pcap is matching the "content" (/modules/) and with
fast_pattern effectively off, its making a positive match based on the
"content" alone and skipping over "pcre".

Would this assumption be correct? or is anyone able to tell me how rule
processing would work with "content", "pcre" and "no fast_pattern" for this
particular rule?

I hope I have been able to put the question clearly, if not please let me
know.

Many thanks

-Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160217/d3f80096/attachment.html>


More information about the Snort-users mailing list