[Oisf-users] Issues with http rules and midstream processing

Matt matt at somedamn.com
Thu Jan 24 21:06:24 UTC 2013 

Oops, nevermind.  I should have looked at the source code first. :)  I 
found the "async-oneside" flag, and that's fixed it.  I am still curious 
as to why the tcp rule produces two alerts, though.

Matt

On 1/24/2013 3:38 PM, Matt wrote:
> Due to some peculiarities in my environment, I sometimes only see 
> outbound packets.  I have "midstream: true" set in my config, but I'm 
> having trouble with HTTP rules when the SYN packet is present, but the 
> SYN|ACK is missing.  Here are two test rules:
>
> alert http any any -> any 80 (msg:"http://lockedoutofheaven.in/ http"; 
> content:"/4/config.bin"; http_uri; content:"Host: 
> lockedoutofheaven.in"; nocase; http_header; classtype:trojan-activity; 
> sid:1;)
> alert tcp any any -> any 80 (msg:"http://lockedoutofheaven.in/ tcp"; 
> content:"/4/config.bin"; offset:4; content:"Host: 
> lockedoutofheaven.in"; nocase; distance:10; classtype:trojan-activity; 
> sid:2;)
>
> Test case #1: Full 3-way handshake
>
> 0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [SYN] 
> Seq=0 Win=16384 Len=0 MSS=1460 WS=1 SACK_PERM=1
> 0   2   0.154565 53.177.243.126 -> 85.167.26.187 TCP 80 > 2084 [SYN, 
> ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=64
> 0   3   0.164244 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] 
> Seq=1 Ack=1 Win=16384 Len=0
> 0   4   0.164342 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, 
> ACK] Seq=1 Ack=1 Win=16384 Len=270
>
> Three alerts are produced for some reason.  The tcp alert hits twice, 
> and the http alert hits once.
>
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
> tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
> {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
> tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
> {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ 
> http [**] [Classification: A Network Trojan was detected] [Priority: 
> 1] {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
>
> Test case #2: SYN|ACK missing
>
> 0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [SYN] 
> Seq=0 Win=16384 Len=0 MSS=1460 WS=1 SACK_PERM=1
> 0   2   0.164244 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] 
> Seq=1 Ack=1 Win=16384 Len=0
> 0   3   0.164342 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, 
> ACK] Seq=1 Ack=1 Win=16384 Len=270
>
> Only one tcp alert is produced:
>
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
> tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
> {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
>
> Test case #3: Both SYN and SYN|ACK missing
>
> 0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] 
> Seq=1 Ack=1 Win=16384 Len=0
> 0   2   0.000098 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, 
> ACK] Seq=1 Ack=1 Win=16384 Len=270
>
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
> tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
> {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
> tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
> {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ 
> http [**] [Classification: A Network Trojan was detected] [Priority: 
> 1] {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
>
> Again, I see two tcp alerts and one http alert.
>
> Test case #4: Only the HTTP GET is present
>
> 0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, 
> ACK] Seq=1 Ack=1 Win=16384 Len=270
>
> This produces the same output as before.  Two tcp alerts and one http:
>
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
> tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
> {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ 
> tcp [**] [Classification: A Network Trojan was detected] [Priority: 1] 
> {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ 
> http [**] [Classification: A Network Trojan was detected] [Priority: 
> 1] {TCP} 85.167.26.187:2084 -> 53.177.243.126:80
>
> So it appears that the stream processor can't recover when it sees a 
> SYN, misses the SYN|ACK, and then sees subsequent packets in the 
> stream.  I've attached anonymized pcaps for each test case.
>
> - Matt
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130124/bb40df01/attachment-0002.html>

More information about the Oisf-users mailing list