Snort mailing list archives
Re: Payload not fitting rule content detection on snort + snorby
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 7 Sep 2015 16:09:54 +0000
The "file_data;" keyword in the rule tells me that the rule is looking for that content in the attachment to the email itself. -- Joel Esler Manager, Threat Intelligence and Open Source Talos Group Sent from my iPhone On Sep 7, 2015, at 3:49 AM, Txalin <txalin () gmail com<mailto:txalin () gmail com>> wrote: First of all let me say hi to this mailing list as this is my first message here :) and quickly introduce myself, i'm a spaniard security freak now dealing with snort + tons of other things and tools. Right now i am running a snort v 2.9.6.2 GRE + barnyard2 v2.1.13 build 327 + Snorby 2.6.2 with ET pro, community and several custom rules, and i have detected several times an strange behavior in snort. When one rule has been triggered, sometimes i found that the data in the payload field doesn't match with the detecction patterns in the rule, let me show you and example: # cat snort.rules | grep "MALWARE-TOOLS Win.Trojan.Dridex dropper message" alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS Win.Trojan.Dridex dropper message"; flow:to_server,established; file_data; content:"X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/<http://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/>; classtype:trojan-activity; sid:34945; rev:1;) The payload shown on Snorby is: Return-Path:.<envio.eletronico.cte () gmail com<mailto:envio.eletronico.cte () gmail com>> .Received:.from.[1.1.1.1].by.server.mailprovider.com.id.94/98-03819-BCE0AE55;.Fri,.04.Sep.2015.21:36:11.+0000 .X-Env-Sender:.envio.eletronico.cte () gmail com<mailto:X-Env-Sender%3A.envio.eletronico.cte () gmail com> .X-Msg-Ref:.server.mailprovider.com<http://server.mailprovider.com>!1441402569!47224666!1 .X-Originating-IP:.[2.2.2.2] .X-SpamReason:.No,.hits=0.0.required=7.0.tests=SUBJECT_EXCESS_QP .X-StarScan-Received: .X-StarScan-Version:.6.13.16;.banners=-,-,- .X-VirusChecked:.Checked .Received:.(qmail.1237.invoked.from.network);.4.Sep.2015.21:36:09.-0000 .Received:.from.mail-qk0-f172.google.com<http://from.mail-qk0-f172.google.com>.(HELO.mail-qk0-f172.google.com<http://HELO.mail-qk0-f172.google.com>).(2.2.2.2) ...by.server.mailprovider.com.with.RC4-SHA.encrypted.SMTP;.4.Sep.2015.21:36:09.-0000 .Received:.by.qkdv1.with.SMTP.id.v1so14169723qkd.0 .........for.<cte () onecompany com<mailto:cte () onecompany com>>;.Fri,.04.Sep.2015.14:36:09.-0700.(PDT) .DKIM-Signature:.v=1;.a=rsa-sha256;.c=relaxed/relaxed; .........d=gmail.com<http://gmail.com>;.s=20120113; .........h=message-id:from:to:subject:date:mime-version:reply-to:content-type ..........:content-description; .........bh=vVNiQkcbDuIiHCOOoLSG5c8UydaAvY8BiM5JM7lmFt8=; .........b=MP/tJcqgJ4tn5zaVJbis3NaM34oAsBVrcWfTz+F2jlBnLNpEl2sPFQkrLXGBOFjO8a ..........ns2w6shY+ySFWRQcR2D9lYdht0TK5CTWeXxsW0I3WURt+k7BGC8kQEvTipuQmsQ68C/g ..........xDuihRZt/j/qP0rKX7tnuiboWQxbEqEVYWpoPuGJUUiBVo/BNlgMwRaeScC/Ol+k6rPT ..........lWQvdEEdPfTcsRDDaTLxsPBqbM7Flmir06+4X9gbX/m0mDTArCmogEXgYUsV7kPdo1VC ..........li As you can see in the payload, the pattern "X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer" is not being shown in the payload, which makes me think in two possibilities: a) Snorby is not showing all the payload data b) Snort is not forwarding all the data to Snorby. Did someone here found similar behavior? Any hints about the cause of it and how to fix it? I was looking for a configuration file where i can modify the payload size but i didn't found anything yet. Kind regards. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Payload not fitting rule content detection on snort + snorby Txalin (Sep 07)
- Re: Payload not fitting rule content detection on snort + snorby Joel Esler (jesler) (Sep 07)
- Re: Payload not fitting rule content detection on snort + snorby Al Lewis (allewi) (Sep 07)
- Re: Payload not fitting rule content detection on snort + snorby waldo kitty (Sep 08)
- Re: Payload not fitting rule content detection on snort + snorby Joel Esler (jesler) (Sep 07)