Snort mailing list archives
A question in regards to rules, ACK and flow.
From: Jeremy Hoel <jthoel () gmail com>
Date: Thu, 5 Dec 2013 00:55:28 +0000
Background - We have a snort sensor (IDS mode) sitting of a span port on a switch that then goes to a Sourcefire and then outbound to the internet. Both the snort and the SF run the same set of VRT rules and have configs with the same port definitions, but the SF is inline and in blocking mode. Today the SF picked up on sid:28538 "MALWARE-CNC Win.Trojan.Asprox variant connection attempt". Only the SF picked up on it and dropped it (as per the rule) but the snort sensor didn't. The rule exists on the snort server and is enabled. Looking at traffic that was captured on the snort sensor, you can see the outbound data that the rule would pick up on ('Content-Disposition: form-data; name="key"; filename="key.bin"', 'Content-Type: multipart/form-data; boundary=' and the POST) but there is never any ACK for the sent packet (beyond the handshake) from the destination (since the SF is blocking it). If the packets are just sent out, but no ACK is received, does snort not trigger on it since it really can't complete a flow? community.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox variant connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101 Firefox/23.0"; content:"Content-Disposition: form-data|3B| name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only; content:"Content-Disposition: form-data|3B| name=|22|data|22 3B| filename=|22|data.bin|22|"; content:"Content-Type: multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html; classtype:trojan-activity; sid:28538; rev:1;) ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- A question in regards to rules, ACK and flow. Jeremy Hoel (Dec 04)
- Re: A question in regards to rules, ACK and flow. Joel Esler (jesler) (Dec 04)
- Re: A question in regards to rules, ACK and flow. Jeremy Hoel (Dec 04)
- Re: A question in regards to rules, ACK and flow. Joel Esler (jesler) (Dec 04)