[Oisf-users] Issues with http rules and midstream processing

Anoop Saldanha anoopsaldanha at gmail.com
Fri Jan 25 03:31:07 UTC 2013 

The tcp rule has keywords to match on the raw stream.  And since
you've used "offset" it would try to match on both the individual
payloads as they pass through the detection engine, as well as the
reassembled stream supplied by the stream engine.

On Fri, Jan 25, 2013 at 2:36 AM, Matt <matt at somedamn.com> wrote:
> Oops, nevermind.  I should have looked at the source code first. :)  I found
> the "async-oneside" flag, and that's fixed it.  I am still curious as to why
> the tcp rule produces two alerts, though.
>
> Matt
>
> On 1/24/2013 3:38 PM, Matt wrote:
>
> Due to some peculiarities in my environment, I sometimes only see outbound
> packets.  I have "midstream: true" set in my config, but I'm having trouble
> with HTTP rules when the SYN packet is present, but the SYN|ACK is missing.
> Here are two test rules:
>
> alert http any any -> any 80 (msg:"http://lockedoutofheaven.in/ http";
> content:"/4/config.bin"; http_uri; content:"Host: lockedoutofheaven.in";
> nocase; http_header; classtype:trojan-activity; sid:1;)
> alert tcp any any -> any 80 (msg:"http://lockedoutofheaven.in/ tcp";
> content:"/4/config.bin"; offset:4; content:"Host: lockedoutofheaven.in";
> nocase; distance:10; classtype:trojan-activity; sid:2;)
>
> Test case #1: Full 3-way handshake
>
> 0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [SYN] Seq=0
> Win=16384 Len=0 MSS=1460 WS=1 SACK_PERM=1
> 0   2   0.154565 53.177.243.126 -> 85.167.26.187 TCP 80 > 2084 [SYN, ACK]
> Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=64
> 0   3   0.164244 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] Seq=1
> Ack=1 Win=16384 Len=0
> 0   4   0.164342 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, ACK]
> Seq=1 Ack=1 Win=16384 Len=270
>
> Three alerts are produced for some reason.  The tcp alert hits twice, and
> the http alert hits once.
>
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ tcp
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ tcp
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ http
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
>
> Test case #2: SYN|ACK missing
>
> 0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [SYN] Seq=0
> Win=16384 Len=0 MSS=1460 WS=1 SACK_PERM=1
> 0   2   0.164244 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] Seq=1
> Ack=1 Win=16384 Len=0
> 0   3   0.164342 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, ACK]
> Seq=1 Ack=1 Win=16384 Len=270
>
> Only one tcp alert is produced:
>
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ tcp
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
>
> Test case #3: Both SYN and SYN|ACK missing
>
> 0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [ACK] Seq=1
> Ack=1 Win=16384 Len=0
> 0   2   0.000098 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, ACK]
> Seq=1 Ack=1 Win=16384 Len=270
>
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ tcp
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ tcp
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ http
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
>
> Again, I see two tcp alerts and one http alert.
>
> Test case #4: Only the HTTP GET is present
>
> 0   1   0.000000 85.167.26.187 -> 53.177.243.126 TCP 2084 > 80 [PSH, ACK]
> Seq=1 Ack=1 Win=16384 Len=270
>
> This produces the same output as before.  Two tcp alerts and one http:
>
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ tcp
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:2:0] http://lockedoutofheaven.in/ tcp
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
> 01/24/2013-10:55:25.079657  [**] [1:1:0] http://lockedoutofheaven.in/ http
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP}
> 85.167.26.187:2084 -> 53.177.243.126:80
>
> So it appears that the stream processor can't recover when it sees a SYN,
> misses the SYN|ACK, and then sees subsequent packets in the stream.  I've
> attached anonymized pcaps for each test case.
>
> - Matt
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
Anoop Saldanha

More information about the Oisf-users mailing list