<div dir="ltr"><div><div><div><div><div>Okay I've got a PCAP out of the Snort unified merged log for a rule that triggered an alert, but that Suricata didn't. However, I'm not sure how much use it's really going to be tbh due to it's brevity. We don't/can't do full PCAP due to the significant amount of traffic passing the sensors.<br><br></div>The rule that Snort triggered was:<br>Signature: <span title="ET TROJAN Possible Andromeda download with fake Zip header (2)">ET TROJAN Possible Andromeda download with fake Zip heade...
</span>
<b title="Event ID: 17.98418 Tuesday, Jan 26, 2016 at 1:10:44 PM GMT" class=""> </b><br></div>Source: <a href="http://23.61.255.33:80">23.61.255.33:80</a><br></div>Destination: <a href="http://138.250.134.15:62892">138.250.134.15:62892</a><br></div>Sig. ID: 2018576<br></div>Sig. Revision: 1<br><br><div><div>The rule is from the ET ruleset:<br><br>Snort version:<br>alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Andromeda download with fake Zip header (2)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,20,1,relative; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018576; rev:1;)<br><br>Suricata verions:<br>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Andromeda download with fake Zip header (2)"; flow:to_client,established; content:"|0d 0a 0d 0a|PK|03 04|"; byte_test:1,>,20,1,relative; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018576; rev:3;)<br><br></div><div>Anyway, fwiw pcap is available here: <a href="https://drive.google.com/file/d/0B2nEgajl8-1-WmdhTTNlVFRtTlE/view?usp=sharing">https://drive.google.com/file/d/0B2nEgajl8-1-WmdhTTNlVFRtTlE/view?usp=sharing</a><br><br></div><div>Cheers,<br><br><div style="text-align:left">Luke<br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 26 January 2016 at 11:33, Luke Whitworth <span dir="ltr"><<a href="mailto:l.a.whitworth@gmail.com" target="_blank">l.a.whitworth@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Thanks for the reply. I'm looking at seeing if I can get a PCAP of the alert that was missed out of Snorts unified log (using u2boat if memory serves). Until then here's the current stats.log:<br><br>Date: 1/26/2016 -- 11:30:17 (uptime: 0d, 02h 23m 02s)<span class=""><br>-------------------------------------------------------------------<br>Counter | TM Name | Value<br>-------------------------------------------------------------------<br></span>capture.kernel_packets | Total | 682560755<br>capture.kernel_drops | Total | 58551<br>decoder.pkts | Total | 682631014<br>decoder.bytes | Total | 560340398074<br>decoder.invalid | Total | 16<br>decoder.ipv4 | Total | 682297726<br>decoder.ipv6 | Total | 2707083<br>decoder.ethernet | Total | 682631014<br>decoder.raw | Total | 0<br>decoder.null | Total | 0<br>decoder.sll | Total | 0<br>decoder.tcp | Total | 615528819<br>decoder.udp | Total | 66707900<br>decoder.sctp | Total | 0<br>decoder.icmpv4 | Total | 340969<br>decoder.icmpv6 | Total | 40166<br>decoder.ppp | Total | 1847<br>decoder.pppoe | Total | 0<br>decoder.gre | Total | 1847<br>decoder.vlan | Total | 0<br>decoder.vlan_qinq | Total | 0<br>decoder.teredo | Total | 1402773<br>decoder.ipv4_in_ipv6 | Total | 0<br>decoder.ipv6_in_ipv6 | Total | 0<br>decoder.mpls | Total | 0<br>decoder.avg_pkt_size | Total | 820<br>decoder.max_pkt_size | Total | 1514<br>decoder.erspan | Total | 0<br>flow.memcap | Total | 0<br>defrag.ipv4.fragments | Total | 11194<br>defrag.ipv4.reassembled | Total | 5420<br>defrag.ipv4.timeouts | Total | 0<br>defrag.ipv6.fragments | Total | 663<br>defrag.ipv6.reassembled | Total | 314<br>defrag.ipv6.timeouts | Total | 0<br>defrag.max_frag_hits | Total | 0<br>tcp.sessions | Total | 3176947<br>tcp.ssn_memcap_drop | Total | 0<br>tcp.pseudo | Total | 880612<br>tcp.pseudo_failed | Total | 0<br>tcp.invalid_checksum | Total | 3089<br>tcp.no_flow | Total | 0<br>tcp.syn | Total | 3678418<br>tcp.synack | Total | 3391449<br>tcp.rst | Total | 2451453<br>tcp.segment_memcap_drop | Total | 0<br>tcp.stream_depth_reached | Total | 22919<br>tcp.reassembly_gap | Total | 316061<br>detect.alert | Total | 33<br>flow_mgr.closed_pruned | Total | 2579970<br>flow_mgr.new_pruned | Total | 912247<br>flow_mgr.est_pruned | Total | 2167370<br>flow.spare | Total | 50481<br>flow.emerg_mode_entered | Total | 0<br>flow.emerg_mode_over | Total | 0<br>flow.tcp_reuse | Total | 98282<br>tcp.memuse | Total | 33052864<br>tcp.reassembly_memuse | Total | <a href="tel:2067435230" value="+12067435230" target="_blank">2067435230</a><br>dns.memuse | Total | 16785488<br>dns.memcap_state | Total | 0<br>dns.memcap_global | Total | 2703798<br>http.memuse | Total | 251321971<br>http.memcap | Total | 0<br>flow.memuse | Total | 93978880<br><br></div>Cheers,<br><br></div>Luke<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 26 January 2016 at 11:28, Victor Julien <span dir="ltr"><<a href="mailto:lists@inliniac.net" target="_blank">lists@inliniac.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 26-01-16 11:32, Luke Whitworth wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
Still sadly seeing some gaps in detection on Suricata that I'm not<br>
seeing in Snort on this host. Both Snort and Suricata are pulling from<br>
pfring, running side by side on the same server. If I check detections<br>
side by side:<br>
<br>
Snort<br>
GB 138.250.4.235 CN 140.207.217.32 ET TROJAN Possible<br>
Win32/Hupigon ip.txt with a Non-Mozilla UA 9:15 AM<br>
GB 138.250.128.17 GB 138.250.13.32 ET TROJAN Downloader User-Agent<br>
HTTPGET 9:35 AM<br>
GB 138.250.5.215 DE 46.33.68.72 ET CURRENT_EVENTS Fake Virus<br>
Phone Scam Landing Nov 16 9:41 AM<br>
GB 138.250.72.201 -- 104.66.229.96 ET CURRENT_EVENTS Terse<br>
alphanumeric executable downloader hig... 9:49 AM<br>
<br>
Suricata<br>
01/26/2016-09:15:14.166186 [**] [1:2016950:2] ET TROJAN Possible<br>
Win32/Hupigon ip.txt with a Non-Mozilla UA [**] [Classification: A<br>
Network Trojan was detected] [Priority: 1] {TCP} <a href="http://138.250.4.235:63342" rel="noreferrer" target="_blank">138.250.4.235:63342</a><br></span>
<<a href="http://138.250.4.235:63342" rel="noreferrer" target="_blank">http://138.250.4.235:63342</a>> -> <a href="http://115.159.15.29:80" rel="noreferrer" target="_blank">115.159.15.29:80</a> <<a href="http://115.159.15.29:80" rel="noreferrer" target="_blank">http://115.159.15.29:80</a>><span><br>
01/26/2016-09:41:37.799048 [**] [1:2022103:2] ET CURRENT_EVENTS Fake<br>
Virus Phone Scam Landing Nov 16 [**] [Classification: A Network Trojan<br>
was detected] [Priority: 1] {TCP} <a href="http://138.250.5.215:58869" rel="noreferrer" target="_blank">138.250.5.215:58869</a><br></span>
<<a href="http://138.250.5.215:58869" rel="noreferrer" target="_blank">http://138.250.5.215:58869</a>> -> <a href="http://46.33.68.72:80" rel="noreferrer" target="_blank">46.33.68.72:80</a> <<a href="http://46.33.68.72:80" rel="noreferrer" target="_blank">http://46.33.68.72:80</a>><span><br>
01/26/2016-09:49:24.287326 [**] [1:2019714:3] ET CURRENT_EVENTS Terse<br>
alphanumeric executable downloader high likelihood of being hostile [**]<br>
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}<br>
</span><a href="http://138.250.72.201:65131" rel="noreferrer" target="_blank">138.250.72.201:65131</a> <<a href="http://138.250.72.201:65131" rel="noreferrer" target="_blank">http://138.250.72.201:65131</a>> -> <a href="http://104.66.229.96:80" rel="noreferrer" target="_blank">104.66.229.96:80</a><br>
<<a href="http://104.66.229.96:80" rel="noreferrer" target="_blank">http://104.66.229.96:80</a>><span><br>
<br>
So for some reason Snort managed to detect the event at 9:35 AM that<br>
Suricata didn't. I'm having a bit of trouble getting to the bottom of<br>
why this might be the case. Does anyone have any suggestions for me<br>
where to start?<br>
</span></blockquote>
<br>
<br>
Pcap would be useful of course :)<br>
<br>
Also, can you share a full section of your stats.log?<span><font color="#888888"><br>
<br>
-- <br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" rel="noreferrer" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" rel="noreferrer" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------</font></span><div><div><br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Suricata User Conference November 9-11 in Washington, DC: <a href="http://oisfevents.net" rel="noreferrer" target="_blank">http://oisfevents.net</a></div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>