<div dir="ltr">Based on the lack of posting to the mailing list I assume this is a decent bug. I thought so too. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 9, 2016 at 9:20 PM, Hovsep Levi <span dir="ltr"><<a href="mailto:hovsep.sanjay.levi@gmail.com" target="_blank">hovsep.sanjay.levi@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello,</div><div><br></div><div><br></div><div>We recently experienced a DoS attack leaving our network that erroneously triggered the 2020381 signature for a number of spoofed IPs, 238 in total. In review it seems the signature should not have fired and suggests a possible bug in the flow tracking engine by config limits or design.</div><div><br></div><div><br></div><div>The DoS attack was a TCP SYN flood attack with packet size varying between 1010 and 1042 and either the SYN flag, SYN+ECE. or SYN+CWR flags set. There was no three-way handshake with the target at any time. Source ports were randomized.</div><div><br></div><div><br></div><div>Signature, notice the "established" keyword: </div><div><br></div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,<a href="http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html" target="_blank">blog.<wbr>malwaremustdie.org/2014/09/<wbr>mmd-0028-2014-fuzzy-reversing-<wbr>new-china.html</a>; classtype:trojan-activity; sid:2020381; rev:3;)</div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>Here are the netflows for a specific TCP flow (randomized IPs). </span></span><span><span>The flows are #13 and #43 of 287 sent to the target. <span><span><span><br></span></span></span></span></span></div><div><span><span><br></span></span></div><div><span><span>TCP <a href="http://212.212.141.142:14717" target="_blank">212.212.141.142:14717</a> -> <a href="http://10.229.52.48:8300" target="_blank">10.229.52.48:8300</a><br></span></span></div><div><span><span><br></span></span></div><div><span><span> sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime|<br>212.212.141.142| 10.229.52.48|14717| 8300| 6| 1| 1034| S E |2016/09/08T09:09:19.994|<br>212.212.141.142| 10.229.52.48|14717| 8300| 6| 1| 1034| S E |2016/09/08T09:09:45.993|<span><span><br></span></span></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>Here is the Suricata event which fired on flow #43:<br></span></span></div><div><span><span><br></span></span></div><div><span><span> "rulesid": "2020381",<br> "rulerev": "3",<br> "classification": "A Network Trojan was Detected",<br> "suri_priority": "1",<br> "proto": "TCP",<br> "orig_h": "</span></span><span><span>212.212.141.142<span><span>",<br> "orig_p": "14717",<br> "resp_h": "</span></span></span></span><span><span>10.229.52.48<span><span><span><span>",<br>"resp_p": "8300",<br> "event_timestamp": "2016-09-08T09:09:45.991Z",<span><span><br></span></span></span></span></span></span></span></span></div><div><span><span>"rule": "1:2020381:3 -- ET TROJAN DDoS.XOR Checkin ",</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>Unfortunately file logging was not enabled so there's no suricata.log file to check for emergency mode conditions. These sensors have plenty of memory available so I think it's caused by config limits and/or something with the flow engine.</span></span></div><div><span><span><span><span><br></span></span></span></span></div><div><span><span>Maybe someone with better knowledge can provide ideas as to why a non-established flow triggered a signature with the established keyword.</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>Regards,<br></span></span></div><div><span><span><br></span></span></div><div><span><span>Hovsep<br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>suricata.yaml<br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>flow:<br> memcap: 24gb<br> hash-size: 262144<br> prealloc: 200000<br> emergency-recovery: 30</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>flow-timeouts:<br><br> default:<br> new: 30<br> established: 120<br> closed: 0<br> emergency-new: 10<br> emergency-established: 60<br> emergency-closed: 0<br> tcp:<br> new: 60<br> established: 120<br> closed: 120<br> emergency-new: 10<br> emergency-established: 60<br> emergency-closed: 20<br> udp:<br> new: 30<br> established: 120<br> emergency-new: 10<br> emergency-established: 60<br> icmp:<br> new: 30<br> established: 120<br> emergency-new: 10<br> emergency-established: 60<span><span><br></span></span><span><span><span><span><br></span></span></span></span></span></span></div><div><span><span><span><span><span><span><br></span></span></span></span></span></span></div><div><span><span><span><span><span><span>stream:<br> memcap: 32gb<br> checksum-validation: yes # reject wrong csums<br> inline: no # auto will use inline mode in IPS mode, yes or no set it statically<br> reassembly:<br> memcap: 16gb<br> depth: 6mb # reassemble 6mb into a stream<br> toserver-chunk-size: 2560<br> toclient-chunk-size: 2560<br><span><span><br></span></span></span></span></span></span></span></span></div><div><span><span><span><span><span><span><span><span><br></span></span></span></span></span></span></span></span></div><div><span><span><span><span><span><span><span><span><br></span></span></span></span></span></span></span></span></div><div><span><span><span><span><span><span><span><span><br></span></span></span></span></span></span></span></span></div></div>
</blockquote></div><br></div>