[Oisf-users] tcp.reassembly_gap
Luke Whitworth
l.a.whitworth at gmail.com
Tue Jan 26 15:04:55 UTC 2016
Okay I've got a PCAP out of the Snort unified merged log for a rule that
triggered an alert, but that Suricata didn't. However, I'm not sure how
much use it's really going to be tbh due to it's brevity. We don't/can't
do full PCAP due to the significant amount of traffic passing the sensors.
The rule that Snort triggered was:
Signature: ET TROJAN Possible Andromeda download with fake Zip heade...
Source: 23.61.255.33:80
Destination: 138.250.134.15:62892
Sig. ID: 2018576
Sig. Revision: 1
The rule is from the ET ruleset:
Snort version:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Possible Andromeda download with fake Zip header (2)";
flow:to_client,established; file_data; content:"PK|03 04|"; within:4;
byte_test:1,>,20,1,relative; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2018576; rev:1;)
Suricata verions:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible
Andromeda download with fake Zip header (2)"; flow:to_client,established;
content:"|0d 0a 0d 0a|PK|03 04|"; byte_test:1,>,20,1,relative;
flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018576;
rev:3;)
Anyway, fwiw pcap is available here:
https://drive.google.com/file/d/0B2nEgajl8-1-WmdhTTNlVFRtTlE/view?usp=sharing
Cheers,
Luke
On 26 January 2016 at 11:33, Luke Whitworth <l.a.whitworth at gmail.com> wrote:
> Thanks for the reply. I'm looking at seeing if I can get a PCAP of the
> alert that was missed out of Snorts unified log (using u2boat if memory
> serves). Until then here's the current stats.log:
>
> Date: 1/26/2016 -- 11:30:17 (uptime: 0d, 02h 23m 02s)
> -------------------------------------------------------------------
> Counter | TM Name | Value
> -------------------------------------------------------------------
> capture.kernel_packets | Total | 682560755
> capture.kernel_drops | Total | 58551
> decoder.pkts | Total | 682631014
> decoder.bytes | Total | 560340398074
> decoder.invalid | Total | 16
> decoder.ipv4 | Total | 682297726
> decoder.ipv6 | Total | 2707083
> decoder.ethernet | Total | 682631014
> decoder.raw | Total | 0
> decoder.null | Total | 0
> decoder.sll | Total | 0
> decoder.tcp | Total | 615528819
> decoder.udp | Total | 66707900
> decoder.sctp | Total | 0
> decoder.icmpv4 | Total | 340969
> decoder.icmpv6 | Total | 40166
> decoder.ppp | Total | 1847
> decoder.pppoe | Total | 0
> decoder.gre | Total | 1847
> decoder.vlan | Total | 0
> decoder.vlan_qinq | Total | 0
> decoder.teredo | Total | 1402773
> decoder.ipv4_in_ipv6 | Total | 0
> decoder.ipv6_in_ipv6 | Total | 0
> decoder.mpls | Total | 0
> decoder.avg_pkt_size | Total | 820
> decoder.max_pkt_size | Total | 1514
> decoder.erspan | Total | 0
> flow.memcap | Total | 0
> defrag.ipv4.fragments | Total | 11194
> defrag.ipv4.reassembled | Total | 5420
> defrag.ipv4.timeouts | Total | 0
> defrag.ipv6.fragments | Total | 663
> defrag.ipv6.reassembled | Total | 314
> defrag.ipv6.timeouts | Total | 0
> defrag.max_frag_hits | Total | 0
> tcp.sessions | Total | 3176947
> tcp.ssn_memcap_drop | Total | 0
> tcp.pseudo | Total | 880612
> tcp.pseudo_failed | Total | 0
> tcp.invalid_checksum | Total | 3089
> tcp.no_flow | Total | 0
> tcp.syn | Total | 3678418
> tcp.synack | Total | 3391449
> tcp.rst | Total | 2451453
> tcp.segment_memcap_drop | Total | 0
> tcp.stream_depth_reached | Total | 22919
> tcp.reassembly_gap | Total | 316061
> detect.alert | Total | 33
> flow_mgr.closed_pruned | Total | 2579970
> flow_mgr.new_pruned | Total | 912247
> flow_mgr.est_pruned | Total | 2167370
> flow.spare | Total | 50481
> flow.emerg_mode_entered | Total | 0
> flow.emerg_mode_over | Total | 0
> flow.tcp_reuse | Total | 98282
> tcp.memuse | Total | 33052864
> tcp.reassembly_memuse | Total | 2067435230
> dns.memuse | Total | 16785488
> dns.memcap_state | Total | 0
> dns.memcap_global | Total | 2703798
> http.memuse | Total | 251321971
> http.memcap | Total | 0
> flow.memuse | Total | 93978880
>
> Cheers,
>
> Luke
>
> On 26 January 2016 at 11:28, Victor Julien <lists at inliniac.net> wrote:
>
>> On 26-01-16 11:32, Luke Whitworth wrote:
>>
>>> Still sadly seeing some gaps in detection on Suricata that I'm not
>>> seeing in Snort on this host. Both Snort and Suricata are pulling from
>>> pfring, running side by side on the same server. If I check detections
>>> side by side:
>>>
>>> Snort
>>> GB 138.250.4.235 CN 140.207.217.32 ET TROJAN Possible
>>> Win32/Hupigon ip.txt with a Non-Mozilla UA 9:15 AM
>>> GB 138.250.128.17 GB 138.250.13.32 ET TROJAN Downloader User-Agent
>>> HTTPGET 9:35 AM
>>> GB 138.250.5.215 DE 46.33.68.72 ET CURRENT_EVENTS Fake Virus
>>> Phone Scam Landing Nov 16 9:41 AM
>>> GB 138.250.72.201 -- 104.66.229.96 ET CURRENT_EVENTS Terse
>>> alphanumeric executable downloader hig... 9:49 AM
>>>
>>> Suricata
>>> 01/26/2016-09:15:14.166186 [**] [1:2016950:2] ET TROJAN Possible
>>> Win32/Hupigon ip.txt with a Non-Mozilla UA [**] [Classification: A
>>> Network Trojan was detected] [Priority: 1] {TCP} 138.250.4.235:63342
>>> <http://138.250.4.235:63342> -> 115.159.15.29:80 <
>>> http://115.159.15.29:80>
>>> 01/26/2016-09:41:37.799048 [**] [1:2022103:2] ET CURRENT_EVENTS Fake
>>> Virus Phone Scam Landing Nov 16 [**] [Classification: A Network Trojan
>>> was detected] [Priority: 1] {TCP} 138.250.5.215:58869
>>> <http://138.250.5.215:58869> -> 46.33.68.72:80 <http://46.33.68.72:80>
>>> 01/26/2016-09:49:24.287326 [**] [1:2019714:3] ET CURRENT_EVENTS Terse
>>> alphanumeric executable downloader high likelihood of being hostile [**]
>>> [Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
>>> 138.250.72.201:65131 <http://138.250.72.201:65131> -> 104.66.229.96:80
>>> <http://104.66.229.96:80>
>>>
>>> So for some reason Snort managed to detect the event at 9:35 AM that
>>> Suricata didn't. I'm having a bit of trouble getting to the bottom of
>>> why this might be the case. Does anyone have any suggestions for me
>>> where to start?
>>>
>>
>>
>> Pcap would be useful of course :)
>>
>> Also, can you share a full section of your stats.log?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 9-11 in Washington, DC:
>> http://oisfevents.net
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160126/63e0d688/attachment-0002.html>
More information about the Oisf-users
mailing list