[Oisf-users] Rules matching packet sequences rather than individual packets?
Matt
matt at somedamn.com
Tue Jan 8 15:50:49 UTC 2013
It took way more effort than I expected to find a working pcap
anonymizer. I finally found tcprewrite in the tcpreplay suite. The
10.x IP here is the attacker exploiting an open proxy on the victim
172.x machine.
Matt
On 1/7/2013 5:15 AM, Peter Manev wrote:
> Hi Matt,
> Would you be able to share a test pcap?
> Change the IPs if needed.
>
> Thank you
>
> On Mon, Jan 7, 2013 at 1:29 AM, Matt Carothers <matt at somedamn.com
> <mailto:matt at somedamn.com>> wrote:
>
> Adding the flow directions does work. Using the http rules does
> not. Here's what I have now:
>
> alert tcp $HOME_NET any -> any any (msg:"SOCKS5 Authentication
> Accept"; content:"|05 00|"; dsize:2; flowbits:set, socks5;
> flowbits:noalert; flow:from_server,established;)
> alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET";
> flowbits:isset, socks5; content:"GET"; nocase; http_method;
> classtype:trojan-activity; sid:7100001; rev:1;)
> alert http any any -> $HOME_NET any (msg:"SOCKS5 Tunneled POST";
> flowbits:isset, socks5; content:"POST"; nocase; http_method;
> classtype:trojan-activity; sid:7100002; rev:1;)
> alert tcp any any -> $HOME_NET any (msg:"SOCKS5 Tunneled GET";
> flowbits:isset, socks5; flow:from_client,established; content:"GET
> "; depth:4; classtype:trojan-activity; sid:7100003; rev:1;)
>
> Only the 710003 rule triggers.
>
> Matt
>
>
> On 1/6/2013 4:45 PM, rmkml wrote:
>
> and Im curious if Suricata detect http rule like "alert http
> ... content:"GET"; nocase; http_method;..." work ?
> Regards
> Rmkml
>
>
> On Sun, 6 Jan 2013, rmkml wrote:
>
> Good, please check adding flow:from_server,established on
> first rule
> and flow:to_server,established on second rule please.
> Regards
> Rmkml
>
>
> On Sun, 6 Jan 2013, Matt wrote:
>
> Thanks! That's exactly what I needed. I can't share a
> pcap from my customers' traffic, but here are the
> rules I just wrote:
>
> alert tcp $HOME_NET any -> any any (msg:"SOCKS5
> Authentication Accept"; content:"|05 00|"; dsize:2;
> flowbits:set, socks5; flowbits:noalert;)
> alert tcp any any -> $HOME_NET any (msg:"SOCKS5
> Tunneled GET"; flowbits:isset, socks5; content:"GET ";
> depth:4; classtype:trojan-activity; sid:7100001; rev:1;)
>
> 0x0500 is the reply back from the SOCKS5 server
> indicating authentication succeeded. A subsequent
> HTTP GET in the other direction triggers the alert.
>
> Matt
>
> On 1/6/2013 3:17 PM, rmkml wrote:
>
> Hi Matt,
> Yes it's possible with flowbits...
> Can you share a pcap please?
> Regards
> Rmkml
>
>
> On Sun, 6 Jan 2013, Matt wrote:
>
> Is it possible to write a rule that matches a
> sequence of packets in a flow? My specific use
> case is that I'd like to match HTTP requests
> sent across SOCKS5 proxy tunnels. I can
> easily write a rule to match a SOCKS5
> handshake or an HTTP request, but I don't know
> if it's possible to match the request only
> when it follows the handshake in a given tcp
> session.
>
> - Matt
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
>
>
> --
> Regards,
> Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130108/b58fd88f/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: s5_anon.pcap
Type: application/octet-stream
Size: 4217 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130108/b58fd88f/attachment-0002.obj>
More information about the Oisf-users
mailing list