[Oisf-users] Possible bug with flow tracking engine via config or design

Hovsep Levi hovsep.sanjay.levi at gmail.com
Fri Sep 9 21:20:14 UTC 2016


We recently experienced a DoS attack leaving our network that erroneously
triggered the 2020381 signature for a number of spoofed IPs, 238 in total.
In review it seems the signature should not have fired and suggests a
possible bug in the flow tracking engine by config limits or design.

The DoS attack was a TCP SYN flood attack with packet size varying between
1010 and 1042 and either the SYN flag, SYN+ECE. or SYN+CWR flags set.
There was no three-way handshake with the target at any time.  Source ports
were randomized.

Signature, notice the "established" keyword:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR
Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0";
depth:500; reference:url,
classtype:trojan-activity; sid:2020381; rev:3;)

Here are the netflows for a specific TCP flow (randomized IPs).  The flows
are #13 and #43 of 287 sent to the target.

TCP ->

sIP| dIP|sPort|dPort|pro| packets| bytes| flags| sTime|||14717| 8300| 6| 1| 1034| S E
|2016/09/08T09:09:19.994|||14717| 8300| 6| 1| 1034| S E

Here is the Suricata event which fired on flow #43:

"rulesid": "2020381",
"rulerev": "3",
"classification": "A Network Trojan was Detected",
"suri_priority": "1",
"proto": "TCP",
"orig_h": "",
"orig_p": "14717",
"resp_h": "",
"resp_p": "8300",
"event_timestamp": "2016-09-08T09:09:45.991Z",
"rule": "1:2020381:3 -- ET TROJAN DDoS.XOR Checkin ",

Unfortunately file logging was not enabled so there's no suricata.log file
to check for emergency mode conditions.  These sensors have plenty of
memory available so I think it's caused by config limits and/or something
with the flow engine.

Maybe someone with better knowledge can provide ideas as to why a
non-established flow triggered a signature with the established keyword.




memcap: 24gb
hash-size: 262144
prealloc: 200000
emergency-recovery: 30


new: 30
established: 120
closed: 0
emergency-new: 10
emergency-established: 60
emergency-closed: 0
new: 60
established: 120
closed: 120
emergency-new: 10
emergency-established: 60
emergency-closed: 20
new: 30
established: 120
emergency-new: 10
emergency-established: 60
new: 30
established: 120
emergency-new: 10
emergency-established: 60

memcap: 32gb
checksum-validation: yes # reject wrong csums
inline: no # auto will use inline mode in IPS mode, yes or no set it
memcap: 16gb
  depth: 6mb # reassemble 6mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160909/7faa95c7/attachment.html>

More information about the Oisf-users mailing list