[Snort-users] Mcafee IDS rule processing
Joel Esler (jesler)
jesler at ...589...
Tue Feb 16 23:01:24 EST 2016
Unfortunately, we have no idea how the mcafee engine is parsing our rules, and obviously is not parsing them correctly. As the pcre clearly defines that this alert shouldn't have taken place.
On Feb 16, 2016, at 10:50 PM, Adrian Good <itsa.aacgood at ...11827...<mailto:itsa.aacgood at ...11827...>> wrote:
I am attempting to troubleshoot a particular snort rule that has been added to a custom attack set on our Mcafee IDS, and I am hoping that someone can point me in the right direction.
The rule is below (sid:31229):
alert tcp any any -> any [36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2578,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712] (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31229; rev:1;)
The content from the PCAP is the following:
GET http://player.ooyala.com/static/modules/start_screen-fc89fba4b9d2b24da65dad518a40ede5c8441d7deeb4bf33d0c2ca747bedb700.swf HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Cookie: BCSI-CS-c87fda4ff6f22bb5=2; BCSI-CS-8d18d10a705be693=2; BCSI-CS-3d562a66fecc35f6=2
The kicker is that the IDS is showing a Translation Warning for this rule which states - "Ignored snort option(s): fast_pattern".
Looking into the pcre regex I cant seem to get it to match what the full HTTP GET request is (unless my regex troubleshooting is flawed), so I am assuming that the pcap is matching the "content" (/modules/) and with fast_pattern effectively off, its making a positive match based on the "content" alone and skipping over "pcre".
Would this assumption be correct? or is anyone able to tell me how rule processing would work with "content", "pcre" and "no fast_pattern" for this particular rule?
I hope I have been able to put the question clearly, if not please let me know.
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users