<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<meta content="text/html; charset=ISO-8859-1"
<body bgcolor="#ffffff" text="#000000">
<font face="Liberation Sans">Hi there<br>
We're still seeing the problem under 220.127.116.11 where snort
misclassified a packet in the middle of a TCP stream as being the
first packet and matches against that.<br>
e.g. we just had the following FP<br>
</font>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2";
flow:established,to_server; content:"|07|F"; depth:2;
reference:url,<a class="moz-txt-link-abbreviated" href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Inject">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Win32.Inject</a>;
It has "flow:established" and 'content:"|07|F"; depth:2'. So that
should mean it can only alert IFF the *first two bytes* of the tcp
stream are '|07|F'. However, we had it trigger in the middle of a
HTTPS session (via a proxy on port 3128 - which we've defined as
HTTP_PORTS). The packet it matched on was 1260 bytes in size and
indeed began with those two bytes.<br>
We've seen this in earlier releases as well as 18.104.22.168. Is this a
known problem? I didn't get any feedback last time I brought this up<br>
On 12/05/11 13:50, Jason Haar wrote:
<blockquote cite="mid:4DCB3CD7.4080407@...294..." type="cite">
<pre wrap="">On 10/05/11 19:42, rmkml wrote:
<pre wrap="">Hi Jason,
I suggest replace `depth:4;` to `http_method;`.
Replace it's work on my test.
I have another suggest, replace `isdataat:200,relative;` to
`isdataat:200,relative; content:!"|0A|"; within:200;`.
I have another another suggest, on pcre, replace `(?!\n)` to `(?!\r?\n)`.
I think your suggested changes make a lot of sense, but that wasn't
really my point. Why did a "depth:4" rule match *inside* a stream
instead of the *beginning* of a stream?
<pre wrap="">Please upgrade to snort v22.214.171.124.
Is there a stream5 bug in 126.96.36.199 that caused this? Changelog doesn't
show anything. My understanding of how snort merges packets into streams
is contradicted by this event: either my understanding is incorrect, or
there's a bug(?)
<pre class="moz-signature" cols="72">--
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1