[Oisf-devel] Suricata smtp flowbits FN
Peter Manev
petermanev at gmail.com
Wed Nov 27 08:53:11 UTC 2013
On Tue, Nov 26, 2013 at 5:14 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> During my testing,
>
> I'm found a FN when smtp and flowbits are used.
>
> Created a PoC especially for this:
>
> 1) joigned pcap file (not change, no fuzzing).
>
> 2) created three sigs:
>
> alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established;
> content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user;
> sid:1; rev:1;)
>
> alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established;
> flowbits:isset,smtp.helo.found; content:"DATA";
> flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found;
> classtype:attempted-admin; sid:2; rev:1;)
>
> alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established;
> flowbits:isset,smtp.data.found; content:"Subject|3A| test email";
> classtype:attempted-admin; sid:3; rev:1;)
>
> 3) [FN] start suricata and look fast.log:
> 11/26/2013-16:30:20.277177 [**] [1:1:1] SMTP EHLO [**] [Classification:
> Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 ->
> 188.125.69.79:25
> 11/26/2013-16:30:20.277177 [**] [1:2:1] SMTP DATA [**] [Classification:
> Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
> 88.191.140.111:51906 -> 188.125.69.79:25
>
> 4) swaped two last flowbits but same FN:
> alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established;
> flowbits:isset,smtp.helo.found; content:"DATA";
> flowbits:set,smtp.data.found; flowbits:unset,smtp.helo.found;
> classtype:attempted-admin; sid:2; rev:1;)
>
> 5) changed unset to set but same FN:
> alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established;
> flowbits:isset,smtp.helo.found; content:"DATA";
> flowbits:set,smtp.helo.found; flowbits:set,smtp.data.found;
> classtype:attempted-admin; sid:2; rev:1;)
>
> 6) rename flowbits name but same FN:
> alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established;
> flowbits:isset,smtp.helo.found; content:"DATA";
> flowbits:unset,smtp.xxxxx.found; flowbits:set,smtp.data.found;
> classtype:attempted-admin; sid:2; rev:1;)
>
> 7) ok only remove flowbits:unset,smtp.helo.found; on sid 2 and suricata fire
> differently:
> 11/26/2013-16:30:20.277177 [**] [1:1:1] SMTP EHLO [**] [Classification:
> Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 ->
> 188.125.69.79:25
> 11/26/2013-16:30:20.277177 [**] [1:2:1] SMTP DATA [**] [Classification:
> Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
> 88.191.140.111:51906 -> 188.125.69.79:25
> 11/26/2013-16:30:20.277177 [**] [1:3:1] SMTP Subject [**] [Classification:
> Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
> 88.191.140.111:51906 -> 188.125.69.79:25
>
> Why Suricata not fire on point 3+4+5+6 please ?
> If anyone confirm, I'm open a redmine ticket.
>
> Tested on Suricata recent git and v1.4.6.
> Snort fire.
>
> Regards
> @Rmkml
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
Can you please open a bug report for this?
thanks
--
Regards,
Peter Manev
More information about the Oisf-devel
mailing list