Snort mailing list archives
A question in regards to rules, ACK and flow.
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 5 Dec 2013 00:55:28 +0000
Background - We have a snort sensor (IDS mode) sitting of a span port
on a switch that then goes to a Sourcefire and then outbound to the
internet. Both the snort and the SF run the same set of VRT rules and
have configs with the same port definitions, but the SF is inline and
in blocking mode.
Today the SF picked up on sid:28538 "MALWARE-CNC Win.Trojan.Asprox
variant connection attempt". Only the SF picked up on it and dropped
it (as per the rule) but the snort sensor didn't. The rule exists on
the snort server and is enabled.
Looking at traffic that was captured on the snort sensor, you can see
the outbound data that the rule would pick up on
('Content-Disposition: form-data; name="key"; filename="key.bin"',
'Content-Type: multipart/form-data; boundary=' and the POST) but
there is never any ACK for the sent packet (beyond the handshake) from
the destination (since the SF is blocking it). If the packets are just
sent out, but no ACK is received, does snort not trigger on it since
it really can't complete a flow?
community.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET
[$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox variant
connection attempt"; flow:to_server,established; content:"User-Agent:
Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101
Firefox/23.0"; content:"Content-Disposition: form-data|3B|
name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only;
content:"Content-Disposition: form-data|3B| name=|22|data|22 3B|
filename=|22|data.bin|22|"; content:"Content-Type:
multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/";
metadata:impact_flag red, policy security-ips drop, ruleset community,
service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html;
classtype:trojan-activity; sid:28538; rev:1;)
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- A question in regards to rules, ACK and flow. Jeremy Hoel (Dec 04)
- Re: A question in regards to rules, ACK and flow. Joel Esler (jesler) (Dec 04)
- Re: A question in regards to rules, ACK and flow. Jeremy Hoel (Dec 04)
- Re: A question in regards to rules, ACK and flow. Joel Esler (jesler) (Dec 04)