<div dir="ltr"><div>Hello,</div><div><br></div><div><br></div><div>We recently experienced a DoS attack leaving our network that erroneously triggered the 2020381 signature for a number of spoofed IPs, 238 in total.  In review it seems the signature should not have fired and suggests a possible bug in the flow tracking engine by config limits or design.</div><div><br></div><div><br></div><div>The DoS attack was a TCP SYN flood attack with packet size varying between 1010 and 1042 and either the SYN flag, SYN+ECE. or SYN+CWR flags set.  There was no three-way handshake with the target at any time.  Source ports were randomized.</div><div><br></div><div><br></div><div>Signature, notice the "established" keyword: </div><div><br></div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,<a href="http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html">blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html</a>; classtype:trojan-activity; sid:2020381; rev:3;)</div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">Here are the netflows for a specific TCP flow (randomized IPs).  </span></span><span class="gmail-"><span class="gmail-">The flows are #13 and #43 of 287 sent to the target.  <span class="gmail-"><span class="gmail-"><span class="gmail-"><br></span></span></span></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">TCP <a href="http://212.212.141.142:14717">212.212.141.142:14717</a> -> <a href="http://10.229.52.48:8300">10.229.52.48:8300</a><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">            sIP|            dIP|sPort|dPort|pro|   packets|     bytes|   flags|                  sTime|<br>212.212.141.142|   10.229.52.48|14717| 8300|  6|         1|      1034| S    E |2016/09/08T09:09:19.994|<br>212.212.141.142|   10.229.52.48|14717| 8300|  6|         1|      1034| S    E |2016/09/08T09:09:45.993|<span class="gmail-"><span class="gmail-"><br></span></span></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">Here is the Suricata event which fired on flow #43:<br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"> "rulesid": "2020381",<br>               "rulerev": "3",<br>               "classification": "A Network Trojan was Detected",<br>               "suri_priority": "1",<br>               "proto": "TCP",<br>               "orig_h": "</span></span><span class="gmail-"><span class="gmail-">212.212.141.142<span class="gmail-"><span class="gmail-">",<br>               "orig_p": "14717",<br>               "resp_h": "</span></span></span></span><span class="gmail-"><span class="gmail-">10.229.52.48<span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-">",<br>"resp_p": "8300",<br>               "event_timestamp": "2016-09-08T09:09:45.991Z",<span class="gmail-"><span class="gmail-"><br></span></span></span></span></span></span></span></span></div><div><span class="gmail-"><span class="gmail-">"rule": "1:2020381:3 -- ET TROJAN DDoS.XOR Checkin ",</span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">Unfortunately file logging was not enabled so there's no suricata.log file to check for emergency mode conditions.  These sensors have plenty of memory available so I think it's caused by config limits and/or something with the flow engine.</span></span></div><div><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><br></span></span></span></span></div><div><span class="gmail-"><span class="gmail-">Maybe someone with better knowledge can provide ideas as to why a non-established flow triggered a signature with the established keyword.</span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">Regards,<br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">Hovsep<br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">suricata.yaml<br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">flow:<br>  memcap: 24gb<br>  hash-size: 262144<br>  prealloc: 200000<br>  emergency-recovery: 30</span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-"><br></span></span></div><div><span class="gmail-"><span class="gmail-">flow-timeouts:<br><br>  default:<br>    new: 30<br>    established: 120<br>    closed: 0<br>    emergency-new: 10<br>    emergency-established: 60<br>    emergency-closed: 0<br>  tcp:<br>    new: 60<br>    established: 120<br>    closed: 120<br>    emergency-new: 10<br>    emergency-established: 60<br>    emergency-closed: 20<br>  udp:<br>    new: 30<br>    established: 120<br>    emergency-new: 10<br>    emergency-established: 60<br>  icmp:<br>    new: 30<br>    established: 120<br>    emergency-new: 10<br>    emergency-established: 60<span class="gmail-"><span class="gmail-"><br></span></span><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><br></span></span></span></span></span></span></div><div><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><br></span></span></span></span></span></span></div><div><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-">stream:<br>  memcap: 32gb<br>  checksum-validation: yes      # reject wrong csums<br>  inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically<br>  reassembly:<br>    memcap: 16gb<br>    depth: 6mb                  # reassemble 6mb into a stream<br>    toserver-chunk-size: 2560<br>    toclient-chunk-size: 2560<br><span class=""><span class=""><br></span></span></span></span></span></span></span></span></div><div><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class=""><span class=""><br></span></span></span></span></span></span></span></span></div><div><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class=""><span class=""><br></span></span></span></span></span></span></span></span></div><div><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class="gmail-"><span class=""><span class=""><br></span></span></span></span></span></span></span></span></div></div>