[Oisf-devel] Suricata smtp flowbits FN
rmkml
rmkml at yahoo.fr
Wed Nov 27 09:16:57 UTC 2013
Thx Peter,
opened ticket #1045.
Best Regards
@Rmkml
On Wed, 27 Nov 2013, Peter Manev wrote:
> On Tue, Nov 26, 2013 at 5:14 PM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi,
>>
>> During my testing,
>>
>> I'm found a FN when smtp and flowbits are used.
>>
>> Created a PoC especially for this:
>>
>> 1) joigned pcap file (not change, no fuzzing).
>>
>> 2) created three sigs:
>>
>> alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established;
>> content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user;
>> sid:1; rev:1;)
>>
>> alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established;
>> flowbits:isset,smtp.helo.found; content:"DATA";
>> flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found;
>> classtype:attempted-admin; sid:2; rev:1;)
>>
>> alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established;
>> flowbits:isset,smtp.data.found; content:"Subject|3A| test email";
>> classtype:attempted-admin; sid:3; rev:1;)
>>
>> 3) [FN] start suricata and look fast.log:
>> 11/26/2013-16:30:20.277177 [**] [1:1:1] SMTP EHLO [**] [Classification:
>> Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 ->
>> 188.125.69.79:25
>> 11/26/2013-16:30:20.277177 [**] [1:2:1] SMTP DATA [**] [Classification:
>> Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
>> 88.191.140.111:51906 -> 188.125.69.79:25
>>
>> 4) swaped two last flowbits but same FN:
>> alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established;
>> flowbits:isset,smtp.helo.found; content:"DATA";
>> flowbits:set,smtp.data.found; flowbits:unset,smtp.helo.found;
>> classtype:attempted-admin; sid:2; rev:1;)
>>
>> 5) changed unset to set but same FN:
>> alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established;
>> flowbits:isset,smtp.helo.found; content:"DATA";
>> flowbits:set,smtp.helo.found; flowbits:set,smtp.data.found;
>> classtype:attempted-admin; sid:2; rev:1;)
>>
>> 6) rename flowbits name but same FN:
>> alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established;
>> flowbits:isset,smtp.helo.found; content:"DATA";
>> flowbits:unset,smtp.xxxxx.found; flowbits:set,smtp.data.found;
>> classtype:attempted-admin; sid:2; rev:1;)
>>
>> 7) ok only remove flowbits:unset,smtp.helo.found; on sid 2 and suricata fire
>> differently:
>> 11/26/2013-16:30:20.277177 [**] [1:1:1] SMTP EHLO [**] [Classification:
>> Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 ->
>> 188.125.69.79:25
>> 11/26/2013-16:30:20.277177 [**] [1:2:1] SMTP DATA [**] [Classification:
>> Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
>> 88.191.140.111:51906 -> 188.125.69.79:25
>> 11/26/2013-16:30:20.277177 [**] [1:3:1] SMTP Subject [**] [Classification:
>> Attempted Administrator Privilege Gain] [Priority: 1] {TCP}
>> 88.191.140.111:51906 -> 188.125.69.79:25
>>
>> Why Suricata not fire on point 3+4+5+6 please ?
>> If anyone confirm, I'm open a redmine ticket.
>>
>> Tested on Suricata recent git and v1.4.6.
>> Snort fire.
>>
>> Regards
>> @Rmkml
>
> Can you please open a bug report for this?
> thanks
>
> --
> Regards,
> Peter Manev
>
More information about the Oisf-devel
mailing list