Snort mailing list archives
Abnormal JPEG file detection rule
From: "demantos(Cho Hoon)" <demantos () gmail com>
Date: Tue, 21 Mar 2017 09:55:23 +0900
Hello, I want to detect normal/abnormal JPEG files. So, I write rule about detect abnormal JPEG files like below. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected - Header"; content:"|FF D8 FF E0|"; offset:0; gid:1; sid:10000002; rev:001;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected - Footer"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset -2; content:"|FF D9|"; distance:0; within:2; gid:1; sid:10000003; rev:001;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response detected"; content:"|FF D8 FF E0|"; byte_jump:0, 0, from_end, post_offset -2; content:!"|FF D9|"; distance:0; within:2; gid:1; sid:10000004; rev:001;) This rules do not work well. As you know, this rule match jpeg header/footer pattern(content) to each fragmented packets. So, I try to using stream_reassemble options and flowbits options. I read https://www.snort.org/faq/readme-stream5. But, stream5 preprocessor limit reassemble packet size (paf_max: 63780 byte) Anyway I write rule like below. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected - Header"; flow:established; content:"|FF D8 FF E0|"; offset:0; flowbits:set,jpeg_detect; flowbits:noalert; stream_reassemble:enable,both; gid:1; sid:10000005; rev:001;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"JPEG response detected - Footer"; flow:established; byte_jump:0,0,from_end,post_offset -2; content:"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect; stream_reassemble:enable,both; gid:1; sid:10000006; rev:001;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Abnormal JPEG response detected"; flow:established; byte_jump:0,0,from_end,post_offset -2; content:!"|FF D9|"; distance:0; within:2; flowbits:isset,jpeg_detect; stream_reassemble:enable,both; gid:1; sid:10000007; rev:001;) *** normal JPEG file detection log *** 03/20-17:52:37.813831 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57199 03/20-17:52:37.815236 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57199 03/20-17:52:37.815265 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57199 03/20-17:52:37.815291 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57199 ...[snip]... 03/20-17:52:37.819399 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57199 03/20-17:52:37.819434 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57199 03/20-17:52:37.819468 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57199 03/20-17:52:37.819496 [**] [1:10000006:1] JPEG response detected - Footer [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57199 *** abnormal JPEG file detection log *** 03/20-17:53:46.793983 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57202 03/20-17:53:46.795683 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57202 03/20-17:53:46.795720 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57202 03/20-17:53:46.795757 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57202 ...[snip]... 03/20-17:53:46.796195 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57202 03/20-17:53:46.796233 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57202 03/20-17:53:46.796271 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57202 03/20-17:53:46.796308 [**] [1:10000007:1] Abnormal JPEG response detected [**] [Priority: 0] {TCP} 192.168.11.13:80 <http://192.168.11.13/> -> 10.10.10.238:57202 This rules detect each fragmented packets, but I want to alert last detection. Please anyone advise to me? Regards Social being determines social consciousness, rather than social consciousness determines social being - Karl Marx
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Abnormal JPEG file detection rule demantos(Cho Hoon) (Mar 20)
- Re: Abnormal JPEG file detection rule Jim McKibben (Mar 21)
- Re: Abnormal JPEG file detection rule rmkml (Mar 21)
- Re: Abnormal JPEG file detection rule Jim McKibben (Mar 21)