[Oisf-users] Stream data in alert-debug.log?

Matt matt at somedamn.com
Wed Apr 10 18:43:27 UTC 2013 

What causes a rule to sometimes fire on stream data and sometimes not?  
There's a definite possibility of packet loss, but I'm running  
midstream: true and async-oneside: true.  Here are four hits from the 
same rule that all generated different things in the debug log:

# Tag a flow as socks5 when we see a SOCKS5 auth accept from server back 
to client
alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication Accept"; 
content:"|05 00|"; dsize:2; flowbits:set, socks5; 
flow:from_server,established; classtype:trojan-activity; sid:1000000; 
rev:1;)
# Generate an alert when we see a connect request from an authenticated 
client back to a SOCKS5 server
alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Connect Request"; 
flowbits:isset, socks5; flow:from_client,established; content:"|05 01 
00|"; depth:3; classtype:trojan-activity; sid:1000001; rev:1;)

Alert found in packet, and single packet contents included:

+================
TIME:              04/06/2013-00:00:02.899283
[snip]
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     04/06/2013-00:00:02.616952
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE, PASS FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: FALSE, PROTO 0
FLOWBIT:            socks5
PACKET LEN:        76
PACKET:
  0000  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0010  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0020  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0030  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0040  XX XX XX XX XX XX XX XX  XX XX XX XX ........ ....
ALERT CNT:           1
ALERT MSG [00]:      SOCKS5 Connect Request
ALERT GID [00]:      1
ALERT SID [00]:      1000001
ALERT REV [00]:      1
ALERT CLASS [00]:    A Network Trojan was detected
ALERT FOUND IN [00]: PACKET
PAYLOAD LEN:         10
PAYLOAD:
  0000  05 01 00 01 XX XX XX XX  XX XX ........ ..
+================


Alert found in stream, but no packet contents included:

+================
TIME:              04/06/2013-00:00:27.345381
[snip]
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     04/06/2013-00:00:26.621553
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE, PASS FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER:    DETECTED: FALSE, PROTO 0
FLOWBIT:            socks5
PACKET LEN:        60
PACKET:
  0000  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0010  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0020  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0030  XX XX XX XX XX XX XX XX  XX XX XX XX ........ ....
ALERT CNT:           1
ALERT MSG [00]:      SOCKS5 Connect Request
ALERT GID [00]:      1
ALERT SID [00]:      1000001
ALERT REV [00]:      1
ALERT CLASS [00]:    A Network Trojan was detected
ALERT FOUND IN [00]: STREAM
+================

Alert found in stream, and stream data included, but the contents are 
only the one packet that triggered the alert:

+================
TIME:              04/06/2013-00:27:08.434509
[snip]
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     04/06/2013-00:27:08.292501
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE, PASS FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER:    DETECTED: FALSE, PROTO 0
FLOWBIT:            socks5
PACKET LEN:        60
PACKET:
  0000  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0010  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0020  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0030  XX XX XX XX XX XX XX XX  XX XX XX XX ........ ....
ALERT CNT:           1
ALERT MSG [00]:      SOCKS5 Connect Request
ALERT GID [00]:      1
ALERT SID [00]:      1000001
ALERT REV [00]:      1
ALERT CLASS [00]:    A Network Trojan was detected
ALERT FOUND IN [00]: STREAM
STREAM DATA LEN:     22
STREAM DATA:
  0000  05 01 00 03 XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0010  XX XX XX XX XX XX ......
+================

Full stream data included, both before and after the packet that 
triggered the alert:

+================
TIME:              04/06/2013-06:49:20.624174
[snip]
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     04/06/2013-06:48:58.944169
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE, PASS FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: TRUE
FLOW APP_LAYER:    DETECTED: FALSE, PROTO 0
FLOWBIT:            socks5
PACKET LEN:        60
PACKET:
  0000  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0010  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0020  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0030  XX XX XX XX XX XX XX XX  XX XX XX XX ........ ....
ALERT CNT:           1
ALERT MSG [00]:      SOCKS5 Connect Request
ALERT GID [00]:      1
ALERT SID [00]:      1000001
ALERT REV [00]:      1
ALERT CLASS [00]:    A Network Trojan was detected
ALERT FOUND IN [00]: STREAM
STREAM DATA LEN:     3
STREAM DATA:
  0000  05 01 00 ...
STREAM DATA LEN:     10
STREAM DATA:
  0000  05 01 00 01 XX XX XX XX  XX XX ........ ..
STREAM DATA LEN:     196
STREAM DATA:
  0000  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0010  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0020  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0030  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0040  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0050  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0060  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0070  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0080  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  0090  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  00A0  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  00B0  XX XX XX XX XX XX XX XX  XX XX XX XX XX XX XX XX ........ ........
  00C0  XX XX XX XX ....
+================

If possible, I want all my alerts to look like the last example.


Matt

On 4/9/2013 12:23 PM, Victor Julien wrote:
> On 04/09/2013 05:16 PM, Matt wrote:
>> I've noticed that some of my debug alerts have stream data, and some
>> don't.  What triggers that?  If it isn't deterministic, how can I
>> maximize the chances of getting stream data?  I'm guessing the stream
>> data just gets written if it happens to be there in memory. Maybe
>> increase the size of the stream memcap?  Or raise max-sessions for it?
> The stream data is added to the alert-debug log if the match was in the
> stream data.
>

More information about the Oisf-users mailing list