[Oisf-devel] [Suricata] Question about flowint - incrementing counter

Wed Mar 16 16:05:19 UTC 2011

Hi Sebastien. The rules look fine. The problem is that looking at the
pcap, there are different flows per login, as follows:
220 (vsFTPd 2.0.7)
USER root
331 Please specify the password.
PASS a
530 Login incorrect.
SYST
530 Please login with USER and PASS.
QUIT
221 Goodbye.

After the QUIT command, the connection is closed, so the flow instance
is destroyed after that, and the flowint vars will be released too.
Then a new connection is set for another login retry, and Suricata
create a new flow instance, but flowint vars live in the context of a
flow. To accomplish this, we need Global Vars (another feature in the
roadmap of the project), that's the ability to create variables that
exists in the context of 2 ip addresses, regardless of ports and IP
sessions id's/streams, flow instances...

That will make suricata able to use a simple logical correlation,
something like "an exploit has been detected on the fly" on one flow,
and after that, the flow is destroyed. Ok, but we have set a
var/int/bit between those hosts indicating that intention, so we don't
mind if the flow was destroyed because we will keep that
information/vars on the context of that pair of hosts. So after that,
if we get "a cmd.exe banner has been matched", between those hosts,
then we will be able to cross it with the previous attack, alerting
that the host might be compromised on a more reliable way, tracking
the intent and response even on different connections.

2011/3/16 Sebastien Damaye <sebastien.damaye at gmail.com>:
> Hi team,
> I'm currently testing Suricata in the shape of a comparative analysis with
> Snort. I've been in contact with Anoop Saldanha who advised me to post my
> question to the dev team mailing list.
> Here is my issue:
> I'm not sure how to use flowint to trigger an alert after 3 bad logins on an
> FTP account.
> Here are my rules:
>
> alert tcp any any -> any any (msg:"Counting Failed Logins";
> content:"incorrect"; flowint: username, notset; flowint:username, =, 1;
> noalert; sid:1;)
> alert tcp any any -> any any (msg:"More than three Failed Logins!";
> content:"incorrect"; flowint: username, isset; flowint:username, +, 1;
> flowint:username, >, 3; sid:2;)
>
> I have tested to track the string "incorrect" to ensure it was correct:
>
> alert tcp any any -> any any (msg:"test_incorrect"; content:"incorrect";
> sid:1;)
>
> And it works fine. Here is the output in /var/log/suricata/fast.log:
>
> 03/16/2011-14:25:23.146103  [**] [1:1:0] test_incorrect [**]
> [Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 ->
> 192.168.100.37:37082
>
> You will find attached to this mail a pcap capture realized with tcpdump
> (tcpdump -lnx -s 1500 -i eth0 -w badlogins.cap 'port 21') to track the
> failed authentication attempts.
> I'm also joining my suricata.yaml configuration in case you would need it...
> I have the feeling that the counter is not auto-incrementing...
> Many thanks in advance for your help.
> --
> Cordialement/Regards,
> Sébastien Damaye
> http://www.aldeid.com
>
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>

-- 

Best regards,

--
Pablo Rincón Crespo
Security researcher and developer
Open Information Security Foundation - http://www.openinfosecfoundation.org
Emerging Threats Pro, INC - http://www.emergingthreatspro.com
------------------------------------