Snort mailing list archives
A question on flows with pcaps
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 08 Aug 2012 10:57:26 -0600
Hey all, So...I saw this rule posted this morning: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; file_data; content:".replace(/hwehes/g"; fast_pattern:only; classtype:trojan-activity; sid:139994; rev:1;) I have a packet capture that I wanted to test the above on: 1 2012-08-08 09:15:00.775111 10.21.0.9 -> 96.126.109.182 TCP 74 35498 > 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=145666377 TSecr=0 WS=16 2 2012-08-08 09:15:00.846374 96.126.109.182 -> 10.21.0.9 TCP 74 80
35498 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1380 SACK_PERM=1
TSval=78463678 TSecr=145666377 WS=64 3 2012-08-08 09:15:00.846403 10.21.0.9 -> 96.126.109.182 TCP 66 35498 > 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=145666395 TSecr=78463678 4 2012-08-08 09:15:00.846525 10.21.0.9 -> 96.126.109.182 HTTP 276 GET /tid6mian.php?q=141afc4be54689c9 HTTP/1.1 5 2012-08-08 09:15:00.917513 96.126.109.182 -> 10.21.0.9 TCP 66 80
35498 [ACK] Seq=1 Ack=211 Win=15552 Len=0 TSval=78463750
TSecr=145666395 6 2012-08-08 09:15:01.880144 96.126.109.182 -> 10.21.0.9 TCP 1561 [TCP segment of a reassembled PDU] 7 2012-08-08 09:15:01.880171 10.21.0.9 -> 96.126.109.182 TCP 66 35498 > 80 [ACK] Seq=211 Ack=1496 Win=17600 Len=0 TSval=145666654 TSecr=78464712 8 2012-08-08 09:15:01.880251 96.126.109.182 -> 10.21.0.9 TCP 1521 [TCP segment of a reassembled PDU] <a lot more ACK's> 113 2012-08-08 09:15:02.278602 96.126.109.182 -> 10.21.0.9 HTTP 775 HTTP/1.1 200 OK (text/html) 114 2012-08-08 09:15:02.278611 10.21.0.9 -> 96.126.109.182 TCP 66 35498 > 80 [ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666753 TSecr=78465110 115 2012-08-08 09:15:02.279393 10.21.0.9 -> 96.126.109.182 TCP 66 35498 > 80 [FIN, ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666754 TSecr=78465110 116 2012-08-08 09:15:02.350151 96.126.109.182 -> 10.21.0.9 TCP 66 80
35498 [FIN, ACK] Seq=90560 Ack=212 Win=15552 Len=0 TSval=78465182
TSecr=145666754 117 2012-08-08 09:15:02.350174 10.21.0.9 -> 96.126.109.182 TCP 66 35498 > 80 [ACK] Seq=212 Ack=90561 Win=68640 Len=0 TSval=145666771 TSecr=78465182 I basically packet captured a wget of the above link. Now...when I test this against this rule, it doesn't fire...UNLESS I remove the flow:established,to_client. Is there a reason I have to do that? My home and not home net settings below: ipvar HOME_NET [10.0.0.0/8] ipvar EXTERNAL_NET !$HOME_NET Thanks for any assistance. James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- A question on flows with pcaps James Lay (Aug 08)
- Re: A question on flows with pcaps Will Metcalf (Aug 08)
- Re: A question on flows with pcaps James Lay (Aug 08)
- Re: A question on flows with pcaps Will Metcalf (Aug 08)