<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">It took way more effort than I expected
to find a working pcap anonymizer. I finally found tcprewrite in
the tcpreplay suite. The 10.x IP here is the attacker exploiting
an open proxy on the victim 172.x machine.<br>
<pre class="moz-signature" cols="72">Matt</pre>
On 1/7/2013 5:15 AM, Peter Manev wrote:<br>
</div>
<blockquote
cite="mid:CAMhe82Kr15ADxzrkdPdTU0wtqNyrtRRLgsE3pUxZ_Sm76WrsWQ@mail.gmail.com"
type="cite">Hi Matt,<br>
Would you be able to share a test pcap?<br>
Change the IPs if needed.<br>
<br>
Thank you<br>
<br>
<div class="gmail_quote">On Mon, Jan 7, 2013 at 1:29 AM, Matt
Carothers <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:matt@somedamn.com" target="_blank">matt@somedamn.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Adding the
flow directions does work. Using the http rules does not.
Here's what I have now:<br>
<br>
alert tcp $HOME_NET any -> any any (msg:"SOCKS5
Authentication Accept"; content:"|05 00|"; dsize:2;
flowbits:set, socks5; flowbits:noalert;
flow:from_server,established;)<br>
alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled
GET"; flowbits:isset, socks5; content:"GET"; nocase;
http_method; classtype:trojan-activity; sid:7100001; rev:1;)<br>
alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled
POST"; flowbits:isset, socks5; content:"POST"; nocase;
http_method; classtype:trojan-activity; sid:7100002; rev:1;)<br>
alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled
GET"; flowbits:isset, socks5; flow:from_client,established;
content:"GET "; depth:4; classtype:trojan-activity;
sid:7100003; rev:1;)<br>
<br>
Only the 710003 rule triggers.<span class="HOEnZb"><font
color="#888888"><br>
<br>
Matt</font></span>
<div class="HOEnZb">
<div class="h5"><br>
<br>
On 1/6/2013 4:45 PM, rmkml wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
and Im curious if Suricata detect http rule like "alert
http ... content:"GET"; nocase; http_method;..." work ?<br>
Regards<br>
Rmkml<br>
<br>
<br>
On Sun, 6 Jan 2013, rmkml wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Good, please check adding flow:from_server,established
on first rule<br>
and flow:to_server,established on second rule please.<br>
Regards<br>
Rmkml<br>
<br>
<br>
On Sun, 6 Jan 2013, Matt wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Thanks! That's exactly what I needed. I can't share
a pcap from my customers' traffic, but here are the
rules I just wrote:<br>
<br>
alert tcp $HOME_NET any -> any any (msg:"SOCKS5
Authentication Accept"; content:"|05 00|"; dsize:2;
flowbits:set, socks5; flowbits:noalert;)<br>
alert tcp any any -> $HOME_NET any (msg:"SOCKS5
Tunneled GET"; flowbits:isset, socks5; content:"GET
"; depth:4; classtype:trojan-activity; sid:7100001;
rev:1;)<br>
<br>
0x0500 is the reply back from the SOCKS5 server
indicating authentication succeeded. A subsequent
HTTP GET in the other direction triggers the alert.<br>
<br>
Matt<br>
<br>
On 1/6/2013 3:17 PM, rmkml wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Matt,<br>
Yes it's possible with flowbits...<br>
Can you share a pcap please?<br>
Regards<br>
Rmkml<br>
<br>
<br>
On Sun, 6 Jan 2013, Matt wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
Is it possible to write a rule that matches a
sequence of packets in a flow? My specific use
case is that I'd like to match HTTP requests
sent across SOCKS5 proxy tunnels. I can easily
write a rule to match a SOCKS5 handshake or an
HTTP request, but I don't know if it's possible
to match the request only when it follows the
handshake in a given tcp session.<br>
<br>
- Matt<br>
</blockquote>
</blockquote>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a
moz-do-not-send="true"
href="mailto:oisf-users@openinfosecfoundation.org"
target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a moz-do-not-send="true"
href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a>
| Support: <a moz-do-not-send="true"
href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a moz-do-not-send="true"
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a moz-do-not-send="true"
href="http://www.openinfosecfoundation.org/"
target="_blank">http://www.openinfosecfoundation.org/</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>Regards,</div>
<div>Peter Manev</div>
</blockquote>
<br>
</body>
</html>