[Snort-users] help with flow:established

Felix Erlacher felix.erlacher at ...17726...
Mon Jan 9 09:55:12 EST 2017


Hi all,

I encountered a strange behavior in snort 2.9.9.0
I wanted to trigger rule with sid:2010054 from the current
emerging-threat ruleset (emerging-all.rules)[1].
I created a very simple traffic dump with an ARP request/response, TCP 3
way handshake and a HTTP GET request containing the content the rule is
looking for, and a 404 answer from my http server.
If I run snort with only this rule no alarm is triggered.
Now, if I remove the option "established" from the "flow:" keyword,
leaving only "flow:to_server" left in the rule than snort triggers an
alarm for this rule.
There is only one thing that imho could be blamed for this behavior: the
second segment in the tcp 3whs coming from the server has a wrong tcp
checksum.
Is it possible that the preprocessor (and thus snort) does not consider
a TCP connection "established" if there is checksum error in the 3whs?

[1] alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Likely TDSS Download (codec.exe)"; flow:established,to_server;
content:"GET"; nocase; http_method; content:"/codec.exe"; nocase;
http_uri; reference:url,doc.emergingthreats.net/2010054;
classtype:trojan-activity; sid:2010054; rev:6;)

-- 
Felix Erlacher

Key-ID:4EAC0959

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170109/1cd871c2/attachment.sig>


More information about the Snort-users mailing list