[Oisf-users] signature question

Travis Green travis at travisgreen.net
Sun Jul 16 20:45:28 UTC 2017


Eric, if they are a static 16 bytes, the easiest thing is to probably do
content:"|16 bytes|"; isdataat:!1,relative; on that with $EXTERNAL_NET to
$HOME_NET flow:established,to_client;

Otherwise, Yep, you've got it!

On Fri, Jul 14, 2017 at 11:56 AM, erik clark <philosnef at gmail.com> wrote:

> Thanks! So I was on the right track. Now though, I have a weird followup
> question. The first sig would be used to set a flowbit. The response from
> the malicious server then has a series of 16 bytes at the end of it, every
> time.
>
> at the end of the response. Soooo...
> Remote host talks to local host.  localhost spits back malicious string.
> remote host spews back traffic, which ends the stream in those 16 bytes.
>
> Is ther ea way to inspect the last 16 bytes of a stream that fired the
> first sig, which sets a flowbit? So...
>
> $HOME_NET any -> $EXTERNAL_NET any with flow:established,to_server;
> flowbit:set,actor; sid 1
> $EXTERNAL_NET -> $HOME_NET any with flow established, to_client;
> flowbit:isset, actorl sid 2
>
> with a noalert on setting the flowbit?
>
>
> On Fri, Jul 14, 2017 at 12:47 PM, Travis Green <travis at travisgreen.net>
> wrote:
>
>> Erik, you likely want:
>>
>> $HOME_NET -> $EXTERNAL_NET with flow:established,to_server;
>>
>> Would also recommend setting a flowbit on the inbound traffic and check
>> isset on this outbound traffic. The ET netwire rat sigs are similar, might
>> make a good template (2021290).
>>
>> HTH,
>> -T
>>
>> On Fri, Jul 14, 2017 at 9:58 AM, erik clark <philosnef at gmail.com> wrote:
>>
>>> I have a flow and data question about a signature I am trying to write.
>>>
>>> I have a remote source initiating a connection to a local address, which
>>> then responds to the remote source with a given hex string 4 bytes long,
>>> offset 0.
>>>
>>> I am looking at this:
>>>
>>> https://redmine.openinfosecfoundation.org/projects/suricata/
>>> wiki/Flow-keywords
>>>
>>> but don't quite follow if I should use flow:from_server with src
>>> internal dest external, or established (which means it already was
>>> inspected as having a remote handshake with a local response that I am
>>> trying to alert off of?)
>>>
>>> Thanks!
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/suppor
>>> t/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/ois
>>> f-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>>
>>
>>
>>
>> --
>> PGP: ABE625E6
>> keybase.io/travisbgreen
>>
>
>


-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170716/c962ccc6/attachment-0002.html>


More information about the Oisf-users mailing list