Guidance on Creating Sequential SNORT Rules for Replay Attack Detection

[Geriot Polenz via Snort-sigs <snort-sigs () lists snort org>]

Dear SNORT Community,

I'm currently working on enhancing our SNORT rules to better detect *replay
attacks and man-in-the-middle attacks*. To achieve this, I'm interested in
creating SNORT rules that can be triggered sequentially, where the second
rule is only activated after a certain first rule has been triggered.
Additionally, I'd like the second rule to sniff for content that is either
completely or partially equal to the content of the first triggered rule
but sent now from a different host.
Here's a conceptual *example *of what the *goal *I have in mind:
# First Rule to Trigger

*trigger udp $EXTERNAL_NET any -> $HOME_NET 1234 (Activate rule 2 Trigger;
byte_extract into var; sid:1; rev:1)*
# Second Rule to Detect Replay Attack

*alert udp $!IP_FROM_FIRST_RULE any -> $HOME_NET 1234 (byte_extract and
compare to $var from FIRST RULE -> Throw alert when equal; sid:2; rev:1)*

I've already explored the use of "*flowbits*", but unfortunately, I
couldn't find a way to pass the source IP address or other
extracted information from the first rule to the second rule.
Currently, my *workaround *idea would involve writing two dynamic rules (SO
rules) that translate source IP addresses and other extracted bytes into
binary and store them in flowbits (36 for IP). These flowbits are then
compared for identity, and if they match, the flowbits are reset;
otherwise, an alert is generated.
"flowbits" have the requirement of using the *"Session" preprocessor*. *What
exactly is understood as a session*, when using "flowbits" in the udp
context? As I understand, flowbits are unique ("private") variables for
every session, but an explanation of a session in the udp context is
missing in the SNORT manual. In my understanding, a session is always
mapped to the combinations of source and destination IPs.
Assume 2 rules with activated Session preprocessor for udp:

   1. *alert udp any any -> any any (...; flowbits: toggle, var1; flowbits:
   noalert; ... sid: 1) *
   2. *alert udp 1.1.1.1 any -> any any (...; flowbits: isset, var1; ...
   sid: 2) *

With the following packets, will rule 2 be triggered:

   1. *2.2.2.2 -> 3.3.3.3 *
   2. *4.4.4.4 -> 3.3.3.3*
   3. *1.1.1.1 -> 3.3.3.3 *

Again in my understanding all 3 packets are from different sessions and the
3rd packet should not trigger the alert, even when the 2. packet is not
sent (assuming var1 starts with 0). This would mean that my goal of
detecting a replay attack is not possible with "flowbits", as it is not
possible to transfer  information between different source/destination IP
combinations.
I hope I understood this wrongly, and someone can explain how to use the
"flowbits" + "session" functionality to make information transfer between
rules possible (tracking sessions to destination IP for example).


My questions *summarized*:

- In a rule with more than 1 IP address as source or destination, is it
possible to extract the current IP addresses of the host which triggered
the rule?  I tried to access it via "content:"|11|", offset -20, depth 1;"
on a udp rule, but was not able to match any IP address bytes.

- Are there alternative approaches within SNORT to effectively detect
replay attacks or transfer extracted information (byte_extract) from one
rule to another rule (stateful inspection)?

- How can I use the "flowbits" and what is meant by sessions in the
required preprocessor? (How) can the preprocessor and flowbits help with
stateful inspection?

I'm very open to any suggestions, insights, or alternative approaches that
the SNORT community might have to offer. Your expertise and guidance would
be greatly appreciated.
Thank you in advance for your time and assistance.

Best regards,

Geriot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!