[Oisf-users] signature question

erik clark philosnef at gmail.com
Fri Jul 14 17:56:37 UTC 2017


Thanks! So I was on the right track. Now though, I have a weird followup
question. The first sig would be used to set a flowbit. The response from
the malicious server then has a series of 16 bytes at the end of it, every
time.

at the end of the response. Soooo...
Remote host talks to local host.  localhost spits back malicious string.
remote host spews back traffic, which ends the stream in those 16 bytes.

Is ther ea way to inspect the last 16 bytes of a stream that fired the
first sig, which sets a flowbit? So...

$HOME_NET any -> $EXTERNAL_NET any with flow:established,to_server;
flowbit:set,actor; sid 1
$EXTERNAL_NET -> $HOME_NET any with flow established, to_client;
flowbit:isset, actorl sid 2

with a noalert on setting the flowbit?


On Fri, Jul 14, 2017 at 12:47 PM, Travis Green <travis at travisgreen.net>
wrote:

> Erik, you likely want:
>
> $HOME_NET -> $EXTERNAL_NET with flow:established,to_server;
>
> Would also recommend setting a flowbit on the inbound traffic and check
> isset on this outbound traffic. The ET netwire rat sigs are similar, might
> make a good template (2021290).
>
> HTH,
> -T
>
> On Fri, Jul 14, 2017 at 9:58 AM, erik clark <philosnef at gmail.com> wrote:
>
>> I have a flow and data question about a signature I am trying to write.
>>
>> I have a remote source initiating a connection to a local address, which
>> then responds to the remote source with a given hex string 4 bytes long,
>> offset 0.
>>
>> I am looking at this:
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/
>> wiki/Flow-keywords
>>
>> but don't quite follow if I should use flow:from_server with src internal
>> dest external, or established (which means it already was inspected as
>> having a remote handshake with a local response that I am trying to alert
>> off of?)
>>
>> Thanks!
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
>
> --
> PGP: ABE625E6
> keybase.io/travisbgreen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170714/257e5ded/attachment-0002.html>


More information about the Oisf-users mailing list