[Oisf-users] Issues with http rules and midstream processing

Matt matt at somedamn.com
Thu Jan 24 20:38:16 UTC 2013 

Due to some peculiarities in my environment, I sometimes only see 
outbound packets.  I have "midstream: true" set in my config, but I'm 
having trouble with HTTP rules when the SYN packet is present, but the 
SYN|ACK is missing.  Here are two test rules:

alert http any any -> any 80 (msg:"http://lockedoutofheaven.in/ http"; 
content:"/4/config.bin"; http_uri; content:"Host: lockedoutofheaven.in"; 
nocase; http_header; classtype:trojan-activity; sid:1;)
alert tcp any any -> any 80 (msg:"http://lockedoutofheaven.in/ tcp"; 
content:"/4/config.bin"; offset:4; content:"Host: lockedoutofheaven.in"; 
nocase; distance:10; classtype:trojan-activity; sid:2;)

Test case #1: Full 3-way handshake

0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [SYN] 
Seq=0 Win=16384 Len=0 MSS=1460 WS=1 SACK_PERM=1
0   2   0.154565 53.177.243.126 -> 85.167.26.187 TCP 80 > 2084 [SYN, 
ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=64
0   3   0.164244 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] 
Seq=1 Ack=1 Win=16384 Len=0
0   4   0.164342 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, 
ACK] Seq=1 Ack=1 Win=16384 Len=270

Three alerts are produced for some reason.  The tcp alert hits twice, 
and the http alert hits once.

01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80
01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80
01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ 
http [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80

Test case #2: SYN|ACK missing

0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [SYN] 
Seq=0 Win=16384 Len=0 MSS=1460 WS=1 SACK_PERM=1
0   2   0.164244 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] 
Seq=1 Ack=1 Win=16384 Len=0
0   3   0.164342 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, 
ACK] Seq=1 Ack=1 Win=16384 Len=270

Only one tcp alert is produced:

01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80

Test case #3: Both SYN and SYN|ACK missing

0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] 
Seq=1 Ack=1 Win=16384 Len=0
0   2   0.000098 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, 
ACK] Seq=1 Ack=1 Win=16384 Len=270

01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80
01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80
01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ 
http [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80

Again, I see two tcp alerts and one http alert.

Test case #4: Only the HTTP GET is present

0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, 
ACK] Seq=1 Ack=1 Win=16384 Len=270

This produces the same output as before.  Two tcp alerts and one http:

01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80
01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80
01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ 
http [**] [Classification: A Network Trojan was detected] [Priority: 1] 
{TCP} 85.167.26.187:2084 -> 53.177.243.126:80

So it appears that the stream processor can't recover when it sees a 
SYN, misses the SYN|ACK, and then sees subsequent packets in the 
stream.  I've attached anonymized pcaps for each test case.

- Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-full-handshake.pcap
Type: application/octet-stream
Size: 604 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130124/c348c19e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-get-only.pcap
Type: application/octet-stream
Size: 364 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130124/c348c19e/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-syn-ack-missing.pcap
Type: application/octet-stream
Size: 522 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130124/c348c19e/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-syn-and-syn-ack-missing.pcap
Type: application/octet-stream
Size: 440 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130124/c348c19e/attachment-0003.obj>

More information about the Oisf-users mailing list