Snort mailing list archives
Re: help with flow:established
From: Felix Erlacher <felix.erlacher () uibk ac at>
Date: Mon, 9 Jan 2017 16:30:11 +0100
Thanks Albert for pointing that out. I did not know the "-k none" switch, this solved my issue. Just another thought: couldn't this be exploited by an attacker by using bad checksums in an attack? Or is it then the victim/receivers fault, because it is his (or his servers) duty to check the checksums... On 09/01/17 16:15, Al Lewis (allewi) wrote:
That sounds like correct behavior. If one of the packets needed to establish the session has a bad checksum it is ignored (if you don’t have the -k none added when running snort). Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com On 1/9/17, 9:55 AM, "Felix Erlacher" <felix.erlacher () uibk ac at> wrote:Hi all, I encountered a strange behavior in snort 2.9.9.0 I wanted to trigger rule with sid:2010054 from the current emerging-threat ruleset (emerging-all.rules)[1]. I created a very simple traffic dump with an ARP request/response, TCP 3 way handshake and a HTTP GET request containing the content the rule is looking for, and a 404 answer from my http server. If I run snort with only this rule no alarm is triggered. Now, if I remove the option "established" from the "flow:" keyword, leaving only "flow:to_server" left in the rule than snort triggers an alarm for this rule. There is only one thing that imho could be blamed for this behavior: the second segment in the tcp 3whs coming from the server has a wrong tcp checksum. Is it possible that the preprocessor (and thus snort) does not consider a TCP connection "established" if there is checksum error in the 3whs? [1] alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely TDSS Download (codec.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010054; classtype:trojan-activity; sid:2010054; rev:6;) -- Felix Erlacher Key-ID:4EAC0959
-- Felix Erlacher Key-ID:4EAC0959
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- help with flow:established Felix Erlacher (Jan 09)
- Re: help with flow:established Al Lewis (allewi) (Jan 09)
- Re: help with flow:established Felix Erlacher (Jan 09)
- Re: help with flow:established Al Lewis (allewi) (Jan 09)