Snort mailing list archives

A question on flows with pcaps

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 08 Aug 2012 10:57:26 -0600

Hey all,

So...I saw this rule posted this morning:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
CURRENT_EVENTS Blackhole Specific JavaScript Replace hwehes - 8th August 
2012"; flow:established,to_client; file_data; 
content:".replace(/hwehes/g"; fast_pattern:only; 
classtype:trojan-activity; sid:139994; rev:1;)

I have a packet capture that I wanted to test the above on:

   1 2012-08-08 09:15:00.775111    10.21.0.9 -> 96.126.109.182 TCP 74 
35498 > 80 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 
TSval=145666377 TSecr=0 WS=16
   2 2012-08-08 09:15:00.846374 96.126.109.182 -> 10.21.0.9    TCP 74 80

35498 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1380 SACK_PERM=1

TSval=78463678 TSecr=145666377 WS=64
   3 2012-08-08 09:15:00.846403    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=145666395 
TSecr=78463678
   4 2012-08-08 09:15:00.846525    10.21.0.9 -> 96.126.109.182 HTTP 276 
GET /tid6mian.php?q=141afc4be54689c9 HTTP/1.1
   5 2012-08-08 09:15:00.917513 96.126.109.182 -> 10.21.0.9    TCP 66 80

35498 [ACK] Seq=1 Ack=211 Win=15552 Len=0 TSval=78463750

TSecr=145666395
   6 2012-08-08 09:15:01.880144 96.126.109.182 -> 10.21.0.9    TCP 1561 
[TCP segment of a reassembled PDU]
   7 2012-08-08 09:15:01.880171    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [ACK] Seq=211 Ack=1496 Win=17600 Len=0 TSval=145666654 
TSecr=78464712
   8 2012-08-08 09:15:01.880251 96.126.109.182 -> 10.21.0.9    TCP 1521 
[TCP segment of a reassembled PDU]
   <a lot more ACK's>
113 2012-08-08 09:15:02.278602 96.126.109.182 -> 10.21.0.9    HTTP 775 
HTTP/1.1 200 OK  (text/html)
114 2012-08-08 09:15:02.278611    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666753 
TSecr=78465110
115 2012-08-08 09:15:02.279393    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [FIN, ACK] Seq=211 Ack=90560 Win=68640 Len=0 TSval=145666754 
TSecr=78465110
116 2012-08-08 09:15:02.350151 96.126.109.182 -> 10.21.0.9    TCP 66 80

35498 [FIN, ACK] Seq=90560 Ack=212 Win=15552 Len=0 TSval=78465182

TSecr=145666754
117 2012-08-08 09:15:02.350174    10.21.0.9 -> 96.126.109.182 TCP 66 
35498 > 80 [ACK] Seq=212 Ack=90561 Win=68640 Len=0 TSval=145666771 
TSecr=78465182

I basically packet captured a wget of the above link.  Now...when I 
test this against this rule, it doesn't fire...UNLESS I remove the 
flow:established,to_client.  Is there a reason I have to do that?  My 
home and not home net settings below:

ipvar HOME_NET [10.0.0.0/8]
ipvar EXTERNAL_NET !$HOME_NET

Thanks for any assistance.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

A question on flows with pcaps James Lay (Aug 08)
- Re: A question on flows with pcaps Will Metcalf (Aug 08)
  - Re: A question on flows with pcaps James Lay (Aug 08)