<div dir="ltr">Based on the lack of posting to the mailing list I assume this is a decent bug.  I thought so too.  <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 9, 2016 at 9:20 PM, Hovsep Levi <span dir="ltr"><<a href="mailto:hovsep.sanjay.levi@gmail.com" target="_blank">hovsep.sanjay.levi@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello,</div><div><br></div><div><br></div><div>We recently experienced a DoS attack leaving our network that erroneously triggered the 2020381 signature for a number of spoofed IPs, 238 in total.  In review it seems the signature should not have fired and suggests a possible bug in the flow tracking engine by config limits or design.</div><div><br></div><div><br></div><div>The DoS attack was a TCP SYN flood attack with packet size varying between 1010 and 1042 and either the SYN flag, SYN+ECE. or SYN+CWR flags set.  There was no three-way handshake with the target at any time.  Source ports were randomized.</div><div><br></div><div><br></div><div>Signature, notice the "established" keyword: </div><div><br></div><div>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,<a href="http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html" target="_blank">blog.<wbr>malwaremustdie.org/2014/09/<wbr>mmd-0028-2014-fuzzy-reversing-<wbr>new-china.html</a>; classtype:trojan-activity; sid:2020381; rev:3;)</div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>Here are the netflows for a specific TCP flow (randomized IPs).  </span></span><span><span>The flows are #13 and #43 of 287 sent to the target.  <span><span><span><br></span></span></span></span></span></div><div><span><span><br></span></span></div><div><span><span>TCP <a href="http://212.212.141.142:14717" target="_blank">212.212.141.142:14717</a> -> <a href="http://10.229.52.48:8300" target="_blank">10.229.52.48:8300</a><br></span></span></div><div><span><span><br></span></span></div><div><span><span>            sIP|            dIP|sPort|dPort|pro|   packets|     bytes|   flags|                  sTime|<br>212.212.141.142|   10.229.52.48|14717| 8300|  6|         1|      1034| S    E |2016/09/08T09:09:19.994|<br>212.212.141.142|   10.229.52.48|14717| 8300|  6|         1|      1034| S    E |2016/09/08T09:09:45.993|<span><span><br></span></span></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>Here is the Suricata event which fired on flow #43:<br></span></span></div><div><span><span><br></span></span></div><div><span><span> "rulesid": "2020381",<br>               "rulerev": "3",<br>               "classification": "A Network Trojan was Detected",<br>               "suri_priority": "1",<br>               "proto": "TCP",<br>               "orig_h": "</span></span><span><span>212.212.141.142<span><span>",<br>               "orig_p": "14717",<br>               "resp_h": "</span></span></span></span><span><span>10.229.52.48<span><span><span><span>",<br>"resp_p": "8300",<br>               "event_timestamp": "2016-09-08T09:09:45.991Z",<span><span><br></span></span></span></span></span></span></span></span></div><div><span><span>"rule": "1:2020381:3 -- ET TROJAN DDoS.XOR Checkin ",</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>Unfortunately file logging was not enabled so there's no suricata.log file to check for emergency mode conditions.  These sensors have plenty of memory available so I think it's caused by config limits and/or something with the flow engine.</span></span></div><div><span><span><span><span><br></span></span></span></span></div><div><span><span>Maybe someone with better knowledge can provide ideas as to why a non-established flow triggered a signature with the established keyword.</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>Regards,<br></span></span></div><div><span><span><br></span></span></div><div><span><span>Hovsep<br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>suricata.yaml<br></span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>flow:<br>  memcap: 24gb<br>  hash-size: 262144<br>  prealloc: 200000<br>  emergency-recovery: 30</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div><div><span><span>flow-timeouts:<br><br>  default:<br>    new: 30<br>    established: 120<br>    closed: 0<br>    emergency-new: 10<br>    emergency-established: 60<br>    emergency-closed: 0<br>  tcp:<br>    new: 60<br>    established: 120<br>    closed: 120<br>    emergency-new: 10<br>    emergency-established: 60<br>    emergency-closed: 20<br>  udp:<br>    new: 30<br>    established: 120<br>    emergency-new: 10<br>    emergency-established: 60<br>  icmp:<br>    new: 30<br>    established: 120<br>    emergency-new: 10<br>    emergency-established: 60<span><span><br></span></span><span><span><span><span><br></span></span></span></span></span></span></div><div><span><span><span><span><span><span><br></span></span></span></span></span></span></div><div><span><span><span><span><span><span>stream:<br>  memcap: 32gb<br>  checksum-validation: yes      # reject wrong csums<br>  inline: no                  # auto will use inline mode in IPS mode, yes or no set it statically<br>  reassembly:<br>    memcap: 16gb<br>    depth: 6mb                  # reassemble 6mb into a stream<br>    toserver-chunk-size: 2560<br>    toclient-chunk-size: 2560<br><span><span><br></span></span></span></span></span></span></span></span></div><div><span><span><span><span><span><span><span><span><br></span></span></span></span></span></span></span></span></div><div><span><span><span><span><span><span><span><span><br></span></span></span></span></span></span></span></span></div><div><span><span><span><span><span><span><span><span><br></span></span></span></span></span></span></span></span></div></div>
</blockquote></div><br></div>