[Oisf-devel] [Suricata] Question about flowint - incrementing counter

Pablo pablo.rincon.crespo at gmail.com
Wed Mar 16 17:02:18 UTC 2011 

2011/3/16 Sebastien Damaye <sebastien.damaye at gmail.com>:
> Hi Pablo,
> Before anything, thank you very much for this very clear and prompt answer.
> You are absolutely right. I've updated my rules to trigger an alert after 2
> bad logins and have done the tests again within the same session:
>
> $ ftp 192.168.100.35
> Connected to 192.168.100.35.
> 220 (vsFTPd 2.0.7)
> Name (192.168.100.35:sdamaye): root
> 331 Please specify the password.
> Password:
> 530 Login incorrect.
> Login failed.
> ftp> user root
> 331 Please specify the password.
> Password:
> 530 Login incorrect.
> Login failed.
>
> And.... It has triggered the alert:
>
> 03/16/2011-17:35:31.560382  [**] [1:2:0] More than two Failed Logins! [**]
> [Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 ->
> 192.168.100.37:3656

Sweet! :) Cool that it worked.

>
> Thanks very much for your help.
> BTW, the online documentation seems outdated (e.g. the syntax of flowint as
> specified on the wiki doesn't work and doesn't either correspond to the one
> used in the working rules).

We are working to improve that. Actually we have one person writing
documentation, but think that we have a complete application
(Suricata), it's setup, different runmodes (IDS, inline IPS..), and
the world of signature syntax that could be itself a separated manual.
I mean, there's a lot to do, so it might take some time to get it up
to date.

Thanks for the feedback!


>
> 2011/3/16 Pablo <pablo.rincon.crespo at gmail.com>
>>
>> Hi Sebastien. The rules look fine. The problem is that looking at the
>> pcap, there are different flows per login, as follows:
>> 220 (vsFTPd 2.0.7)
>> USER root
>> 331 Please specify the password.
>> PASS a
>> 530 Login incorrect.
>> SYST
>> 530 Please login with USER and PASS.
>> QUIT
>> 221 Goodbye.
>>
>> After the QUIT command, the connection is closed, so the flow instance
>> is destroyed after that, and the flowint vars will be released too.
>> Then a new connection is set for another login retry, and Suricata
>> create a new flow instance, but flowint vars live in the context of a
>> flow. To accomplish this, we need Global Vars (another feature in the
>> roadmap of the project), that's the ability to create variables that
>> exists in the context of 2 ip addresses, regardless of ports and IP
>> sessions id's/streams, flow instances...
>>
>> That will make suricata able to use a simple logical correlation,
>> something like "an exploit has been detected on the fly" on one flow,
>> and after that, the flow is destroyed. Ok, but we have set a
>> var/int/bit between those hosts indicating that intention, so we don't
>> mind if the flow was destroyed because we will keep that
>> information/vars on the context of that pair of hosts. So after that,
>> if we get "a cmd.exe banner has been matched", between those hosts,
>> then we will be able to cross it with the previous attack, alerting
>> that the host might be compromised on a more reliable way, tracking
>> the intent and response even on different connections.
>>
>>
>> 2011/3/16 Sebastien Damaye <sebastien.damaye at gmail.com>:
>> > Hi team,
>> > I'm currently testing Suricata in the shape of a comparative analysis
>> > with
>> > Snort. I've been in contact with Anoop Saldanha who advised me to post
>> > my
>> > question to the dev team mailing list.
>> > Here is my issue:
>> > I'm not sure how to use flowint to trigger an alert after 3 bad logins
>> > on an
>> > FTP account.
>> > Here are my rules:
>> >
>> > alert tcp any any -> any any (msg:"Counting Failed Logins";
>> > content:"incorrect"; flowint: username, notset; flowint:username, =, 1;
>> > noalert; sid:1;)
>> > alert tcp any any -> any any (msg:"More than three Failed Logins!";
>> > content:"incorrect"; flowint: username, isset; flowint:username, +, 1;
>> > flowint:username, >, 3; sid:2;)
>> >
>> > I have tested to track the string "incorrect" to ensure it was correct:
>> >
>> > alert tcp any any -> any any (msg:"test_incorrect"; content:"incorrect";
>> > sid:1;)
>> >
>> > And it works fine. Here is the output in /var/log/suricata/fast.log:
>> >
>> > 03/16/2011-14:25:23.146103  [**] [1:1:0] test_incorrect [**]
>> > [Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 ->
>> > 192.168.100.37:37082
>> >
>> > You will find attached to this mail a pcap capture realized with tcpdump
>> > (tcpdump -lnx -s 1500 -i eth0 -w badlogins.cap 'port 21') to track the
>> > failed authentication attempts.
>> > I'm also joining my suricata.yaml configuration in case you would need
>> > it...
>> > I have the feeling that the counter is not auto-incrementing...
>> > Many thanks in advance for your help.
>> > --
>> > Cordialement/Regards,
>> > Sébastien Damaye
>> > http://www.aldeid.com
>> >
>> >
>> > _______________________________________________
>> > Oisf-devel mailing list
>> > Oisf-devel at openinfosecfoundation.org
>> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> >
>> >
>>
>>
>>
>> --
>>
>> Best regards,
>>
>> --
>> Pablo Rincón Crespo
>> Security researcher and developer
>> Open Information Security Foundation -
>> http://www.openinfosecfoundation.org
>> Emerging Threats Pro, INC - http://www.emergingthreatspro.com
>> ------------------------------------
>
>
>
> --
> Cordialement/Regards,
> Sébastien Damaye
> http://www.aldeid.com
>
>



-- 

Best regards,

--
Pablo Rincón Crespo
Security researcher and developer
Open Information Security Foundation - http://www.openinfosecfoundation.org
Emerging Threats Pro, INC - http://www.emergingthreatspro.com
------------------------------------

More information about the Oisf-devel mailing list