[Oisf-devel] Suricata smtp flowbits FN

[rmkml]

Hi,

During my testing,

I'm found a FN when smtp and flowbits are used.

Created a PoC especially for this:

1) joigned pcap file (not change, no fuzzing).

2) created three sigs:

alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established; content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user; sid:1; rev:1;)

alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found; classtype:attempted-admin; sid:2; rev:1;)

alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established; flowbits:isset,smtp.data.found; content:"Subject|3A| test email"; classtype:attempted-admin; sid:3; rev:1;)

3) [FN] start suricata and look fast.log:
11/26/2013-16:30:20.277177  [**] [1:1:1] SMTP EHLO [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177  [**] [1:2:1] SMTP DATA [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25

4) swaped two last flowbits but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:set,smtp.data.found; flowbits:unset,smtp.helo.found; classtype:attempted-admin; sid:2; rev:1;)

5) changed unset to set but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:set,smtp.helo.found; flowbits:set,smtp.data.found; classtype:attempted-admin; sid:2; rev:1;)

6) rename flowbits name but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.xxxxx.found; flowbits:set,smtp.data.found; classtype:attempted-admin; sid:2; rev:1;)

7) ok only remove flowbits:unset,smtp.helo.found; on sid 2 and suricata fire differently:
11/26/2013-16:30:20.277177  [**] [1:1:1] SMTP EHLO [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177  [**] [1:2:1] SMTP DATA [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177  [**] [1:3:1] SMTP Subject [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25

Why Suricata not fire on point 3+4+5+6 please ?
If anyone confirm, I'm open a redmine ticket.

Tested on Suricata recent git and v1.4.6.
Snort fire.

Regards
@Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smtpsuricataflowbitsFN.pcap
Type: application/cap
Size: 2476 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20131126/83ac3d80/attachment.pcap>