[Oisf-devel] PF_RING missing alerts that PF_RING-enabled libpcap matches

Chris Wakelin c.d.wakelin at reading.ac.uk
Wed Jul 27 19:06:48 UTC 2011 

Apologies for the long post, but here goes!

I've updated to the latest stable PF_RING 4.7.1, and Suricata git-master
(plus my patch for extra fields in http.log), though I saw this problem
with PF_RING 4.6.5 as well.

I have some pcaps of obfuscated Javascript badness from various drive-by
download sites which should match ET "Obfuscated Javascript" rules with
some of them also matching "Driveby Download Secondary Request" (usually
".php?tp=<hex-string>"). I've been sending them down a wire with
tcpreplay and found (RDG are my versions of the rules)

1) with "suricata -i eth2"

fast.log:

> 07/27/2011-19:05:53.912683  [**] [1:2012401:9] ET CURRENT_EVENTS Driveby Download Secondary Request [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:60807 -> 193.105.154.135:80
> 07/27/2011-19:05:53.912683  [**] [1:378000105:2] RDG Driveby Download Secondary Request #3 [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:60807 -> 193.105.154.135:80
> 07/27/2011-19:05:53.912832  [**] [1:2012401:9] ET CURRENT_EVENTS Driveby Download Secondary Request [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:60807 -> 193.105.154.135:80
> 07/27/2011-19:05:53.912832  [**] [1:378000105:2] RDG Driveby Download Secondary Request #3 [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:60807 -> 193.105.154.135:80

(bogus repeat, which doesn't occur with local pcap and runmode=single or
autofp, I think)

> 07/27/2011-19:05:53.934902  [**] [1:2013313:1] ET TROJAN Obfuscated Javascript Often Used in Drivebys 3 [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 193.105.154.135:80 -> 134.225.xxx.xxx:60807
> 07/27/2011-19:05:53.934902  [**] [1:378000108:1] RDG Obfuscated javascript #3 - used in Driveby [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 193.105.154.135:80 -> 134.225.xxx.xxx:60807

> 07/27/2011-19:08:27.609831  [**] [1:2013237:4] ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 75.127.110.97:80 -> 134.225.xxx.xxx:51511
> 07/27/2011-19:08:27.609831  [**] [1:378000106:2] RDG Obfuscated javascript - used in Driveby [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 75.127.110.97:80 -> 134.225.xxx.xxx:51511

(no tp= or similar parameter, so no "secondary request" match)

> 07/27/2011-19:13:57.669033  [**] [1:378000105:2] RDG Driveby Download Secondary Request #3 [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:43138 -> 109.230.222.234:80
> 07/27/2011-19:13:57.686410  [**] [1:2013237:4] ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 109.230.222.234:80 -> 134.225.xxx.xxx:43138
> 07/27/2011-19:13:57.686410  [**] [1:378000106:2] RDG Obfuscated javascript - used in Driveby [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 109.230.222.234:80 -> 134.225.xxx.xxx:43138

(extra "lpg" query-string parameter matches my version, not ET's; but
actually only seen this once)

> 07/27/2011-19:15:53.545058  [**] [1:2013314:4] ET TROJAN Obfuscated Javascript Often Used in Drivebys 2 [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 89.46.251.147:80 -> 134.225.xxx.xxx:44064
> 07/27/2011-19:15:53.545058  [**] [1:378000107:1] RDG Obfuscated javascript #2 - used in Driveby [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 89.46.251.147:80 -> 134.225.xxx.xxx:44064

http.log:

> 07/27/2011-19:05:54.032543 inimqical32.com [**] /index.php?tp=4e6c58ba0ffb9d5c [**] Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0 [**] http://gordak3.com/ [**] GET [**] HTTP/1.1 [**] 200 [**] 63726 bytes [**] 134.225.xxx.xxx:60807 -> 193.105.154.135:80
> 07/27/2011-19:08:27.982885 75.127.110.97 [**] /Home/index.php [**] Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB7.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) [**] http://www.makeupgeek.com/products/mac-powder-blush-dame/ [**] GET [**] HTTP/1.1 [**] 200 [**] 46007 bytes [**] 134.225.xxx.xxx:51511 -> 75.127.110.97:80
> 07/27/2011-19:13:57.725699 tolias.in [**] /index.php?tp=f7eaea96cb2cd72c&lpg=latjul14 [**] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 [**] http://encourageyou.eu/newadv.php?cid=latprod28 [**] GET [**] HTTP/1.1 [**] 200 [**] 24415 bytes [**] 134.225.xxx.xxx:43138 -> 109.230.222.234:80
> 07/27/2011-19:15:53.642001 www.dybvtgld.cjb.net [**] /s5pu0gtf/?2 [**] Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 [**] http://www.mrexcel.com/forum/register.php?a=act&u=186771&i=bbafb8ca5f12557453ab5bfb66d117cadf15c98d [**] GET [**] HTTP/1.1 [**] 200 [**] 19927 bytes [**] 134.225.xxx.xxx:44064 -> 89.46.251.147:80

(all correct!)

2) with "suricata --pfring-int=eth2" (receive-threads = 1, but I had the
same behaviour before Will's patch to not set the cluster_id in this
case; also runmode=autofp doesn't make any difference, I think)

fast.log:
> 07/27/2011-19:18:58.336010  [**] [1:2012401:9] ET CURRENT_EVENTS Driveby Download Secondary Request [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:60807 -> 193.105.154.135:80
> 07/27/2011-19:18:58.336010  [**] [1:378000105:2] RDG Driveby Download Secondary Request #3 [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:60807 -> 193.105.154.135:80
> 07/27/2011-19:18:58.336160  [**] [1:2012401:9] ET CURRENT_EVENTS Driveby Download Secondary Request [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:60807 -> 193.105.154.135:80
> 07/27/2011-19:18:58.336160  [**] [1:378000105:2] RDG Driveby Download Secondary Request #3 [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:60807 -> 193.105.154.135:80
> 07/27/2011-19:28:05.509358  [**] [1:378000105:2] RDG Driveby Download Secondary Request #3 [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 134.225.xxx.xxx:43138 -> 109.230.222.234:80

http.log
> 07/27/2011-19:28:05.725319 tolias.in [**] /index.php?tp=f7eaea96cb2cd72c&lpg=latjul14 [**] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1 [**] http://encourageyou.eu/newadv.php?cid=latprod28 [**] GET [**] HTTP/1.1 [**]  [**] 0 bytes [**] 134.225.xxx.xxx:43138 -> 109.230.222.234:80
> 07/27/2011-19:29:25.587388 www.dybvtgld.cjb.net [**] /s5pu0gtf/?2 [**] Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 [**] http://www.mrexcel.com/forum/register.php?a=act&u=186771&i=bbafb8ca5f12557453ab5bfb66d117cadf15c98d [**] GET [**] HTTP/1.1 [**]  [**] 0 bytes [**] 134.225.xxx.xxx:44064 -> 89.46.251.147:80

So the Obfuscated Javascript alerts are missing, together with their
HTTP requests.

suricata.log had

> [17375] 27/7/2011 -- 19:18:58 - (app-layer-parser.c:955) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 134.225.xxx.xxx, destination IP address 193.105.154.135, src port 60807 and dst port 80
> [17375] 27/7/2011 -- 19:24:52 - (app-layer-parser.c:955) <Error> (AppLayerParse) -- [ERRCODE: SC_ERR_ALPARSER(59)] - Error occured in parsing "http" app layer protocol, using network protocol 6, source IP address 134.225.xxx.xxx, destination IP address 75.127.110.97, src port 51511 and dst port 80

which didn't occur with 1) and would have matched the first two pcaps

I can supply the pcaps privately if required!

Best Wishes,
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list