[Oisf-users] home vs external net and really_external_net

Michał Purzyński michalpurzynski1 at gmail.com
Fri Dec 12 19:26:35 UTC 2014


Hello. I'm getting interesting results when trying to fine tune the
rule set and get rid of most false positives. Some IP addresses /
subnets were changed for this email.

There are several variables defined, such as

    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,50.50.50.0/20,224.0.0.0/4,!$PROXY_SERVERS]"

    REALLY_EXTERNAL_NET: "!$HOME_NET"


OK, so Really external net should be "everything not us" i.e.
Internet. Now let's redefine rules so that only trigger on North-South
direction and only from/to the Internet


alert http $HOME_NET any -> $REALLY_EXTERNAL_NET any (msg:"ET TROJAN
Common Downloader Header Pattern UH"; flow:established,to_server;
content:"GET"; http_method; nocase; content:" HTTP/1.1|0d
0a|User-Agent|3a| "; content:"|0d 0a|Host|3a| "; within:100;
content:"|0d 0a 0d 0a|"; within:60; content:!".microsoft.com|0d 0a|";
content:!"|0d 0a|Accept"; content:!"|0d 0a|Cache"; content:!"|0d
0a|Connection"; flowbits:set,ET.header.bad; flowbits:set,ET.header.UH;
classtype:bad-unknown; sid:2803274; rev:9;)

alert http $REALLY_EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY
PE EXE or DLL Windows file download HTTP"; flow:established,to_client;
flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2;
byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64;
within:4; flowbits:set,ET.http.binary;
reference:url,doc.emergingthreats.net/bin/view/Main/2000419;
classtype:policy-violation; sid:2018959; rev:2;)


Unfortunately both trigger on communication between hosts in
10.0.0.0/8. For example

TROJAN Common Downloader Header Pattern triggers on

10.22.73.67 : 59212 -> 10.22.74.73 : 3128

How is that even possible, when it should only work for
really_external_net? What am I doing wrong here? :)

--
Cheers
Michal


More information about the Oisf-users mailing list