Snort mailing list archives
Snort Users - Flowbits and rule ordering
From: "Leach, Rob M (NAM E)" <rob.leach () siemens com>
Date: Wed, 8 Feb 2012 16:29:19 -0600
Hello Snort-Users! (Apologies if this appears twice on the list. I don't see it in the archive, and I do see mails from other users that were already posted today.) I am having some issues making a flowbits "set" operation be recognized on the first packet of a UDP stream. Specifically, I set a flag called 'acme_noalert' and have all the firewall verification rules check issnotset:acme_noalert. When the first packet of a flow comes in, three rules seem to trigger: 1) Base RPC-Decode informational rules -- prints output 2) The (flowbits:set,acme_noalert) rule -- no print 3) The fw-verify "invalid port" rule -- prints output (acme_noalert isn't set?) When each subsequent packet of a flow comes in, the same three rules trigger: 1) Base RPC-Decode informational stuff -- sometimes prints 2) The (flowbits:set,acme_noalert) rule -- no print, no net effect 3) The fw-verify "invalid port" rule -- no print (acme_noalert has been set) Is it possible to force snort to evaluate rule (2) before rule (3)? Is there some other way of flagging the flow for my other rules? Below is a sanitized set of vars, rules, and example "before" and "after" logfiles. I have an example .pcap file that triggers the issue, but am unsure how to distribute it to the users list. (Please let me know what I should do to distribute it.) Also, let me know if I should instead re-send this mail with attachments instead of inline text. Thanks, -Rob ~~~~~~snort.conf additions~~~~~ ####################################### # Example rules ####################################### ###### HOSTS var ACME_HOST_TYPE_GREEN [192.168.1.11] var ACME_HOST_TYPE_ORANGE [192.168.1.22] # All ACME AIX hosts var ACME_HOST_ALL_AIX [192.168.1.11,192.168.1.22] ###### PORTS # AIX ports which are bindable only by root portvar ACME_PORTS_AIX_ROOT_RESV [1:1023] # Note: Default ephemeral port range restricted by ACME portvar ACME_PORTS_AIX_EPHEMERAL [58535:65535] # Portmapper-111 NFS-2049 LowEphemeral--58535:58555 portvar ACME_PORTS_AIX_PORTMAPPED_SVCS [111,2049,58535:58555] #### Verify-firewall ports portvar ACME_PORTS_GREENAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535] portvar ACME_PORTS_ORANGEAIX [22,23,111,2049,5943,5432,7950,8000,8080,8380,58535:65535] ##**************************************************************** ##* Insert the following include afer the last "include" statement in snort.conf ##**************************************************************** include $RULE_PATH/acme-noalert.rules include $RULE_PATH/acme-verify-firewall.rules ~~~~~~~$RULE_PATH/acme-noalert.rules ~~~~~~~ ##### ---- Begin custom non-generated pre-base rules ---- ##### # Mark as "acme_noalert" -- allows other rules to alert on suspicious traffic # UDP Portmapper - both directions, just in case alert udp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX 111 (flowbits:set,acme_noalert; flowbits:noalert; sid:88001;) alert udp $ACME_HOST_ALL_AIX 111 -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV (flowbits:set,acme_noalert; flowbits:noalert; sid:88002;) # TCP Portmapped Services - ONE direction alert tcp $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_ROOT_RESV -> $ACME_HOST_ALL_AIX $ACME_PORTS_AIX_PORTMAPPED_SVCS (flowbits:set,acme_noalert; flowbits:noalert; sid:88003;) ~~~~~~~$RULE_PATH/acme-verify-firewall.rules ~~~~~~~ alert udp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC UDP port for GREEN AIX";classtype:misc-attack; sid:89001; rev:1;) alert tcp $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC TCP port for GREEN AIX";classtype:misc-attack; sid:89002; rev:1;) alert udp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST UDP port for GREEN AIX";classtype:misc-attack; sid:89003; rev:1;) alert tcp any any -> $ACME_HOST_TYPE_GREEN !$ACME_PORTS_GREENAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST TCP port for GREEN AIX";classtype:misc-attack; sid:89004; rev:1;) alert udp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC UDP port for ORANGE AIX";classtype:misc-attack; sid:89011; rev:1;) alert tcp $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX -> any any (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid SRC TCP port for ORANGE AIX";classtype:misc-attack; sid:89012; rev:1;) alert udp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST UDP port for ORANGE AIX";classtype:misc-attack; sid:89013; rev:1;) alert tcp any any -> $ACME_HOST_TYPE_ORANGE !$ACME_PORTS_ORANGEAIX (flowbits:isnotset,acme_noalert; msg: "FW validate - invalid DST TCP port for ORANGE AIX";classtype:misc-attack; sid:89014; rev:1;) ~~~~~~~~ EXAMPLE LOG WITH acme-noalert.rules ENABLED ~~~~~~~~ 02/07-08:11:34.803555 [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111 02/07-08:11:34.803555 [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111 02/07-08:11:34.807006 [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111 02/07-08:11:34.807006 [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111 ~~~~~~~~ EXAMPLE LOG WITHOUT acme-noalert.rules ~~~~~~~~~~~~~ 02/07-08:11:34.803555 [**] [1:579:11] RPC portmap mountd request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111 02/07-08:11:34.803555 [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:807 -> 192.168.1.11:111 02/07-08:11:34.803849 [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:807 02/07-08:11:34.804600 [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535 02/07-08:11:34.804758 [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808 02/07-08:11:34.804803 [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535 02/07-08:11:34.804955 [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808 02/07-08:11:34.805001 [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535 02/07-08:11:34.805151 [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808 02/07-08:11:34.805803 [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:58535 -> 192.168.1.22:808 02/07-08:11:34.805848 [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:808 -> 192.168.1.11:58535 02/07-08:11:34.807006 [**] [1:1959:9] RPC portmap NFS request UDP [**] [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111 02/07-08:11:34.807006 [**] [1:89011:1] FW validate - invalid SRC UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.22:809 -> 192.168.1.11:111 02/07-08:11:34.807308 [**] [1:89013:1] FW validate - invalid DST UDP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {UDP} 192.168.1.11:111 -> 192.168.1.22:809 02/07-08:11:34.807993 [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049 02/07-08:11:34.808099 [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810 02/07-08:11:34.808212 [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049 02/07-08:11:34.808329 [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810 02/07-08:11:34.808422 [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049 02/07-08:11:34.808547 [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810 02/07-08:11:34.808554 [**] [1:89014:1] FW validate - invalid DST TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.11:2049 -> 192.168.1.22:810 02/07-08:11:34.808749 [**] [1:89012:1] FW validate - invalid SRC TCP port for ORANGE AIX [**] [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.1.22:810 -> 192.168.1.11:2049
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Users - Flowbits and rule ordering Leach, Rob M (NAM E) (Feb 09)