[Oisf-users] testing rules using pcap file

Travis Green travis at travisgreen.net
Wed Jun 13 21:00:50 UTC 2018 

Oops... After a more careful re-read, I think this is what you're looking
for:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency
Miner Checkin"; flow:established,to_server; content:"|7b 22|id|22 3a|";
nocase; depth:6; fast_pattern; content:"|22|jsonrpc|22 3a|"; nocase;
distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22
3a|"; content:"|22|login|22 3a 22|"; nocase; content:"|22 2c 22|pass|22 3a
22|"; nocase; content:"|22 2c 22|agent|22 3a 22|"; nocase;
content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html";
nocase; classtype:policy-violation; sid:10000;)

On Wed, Jun 13, 2018 at 2:51 PM, Travis Green <travis at travisgreen.net>
wrote:

> Hey Russell,
> Content match order does not matter unless you use distance:0; on
> subsequent matches. A quick look at ET rules shows 2024792 to be either
> what you're looking for or close to it.
>
> Here
> <http://blog.joelesler.net/2010/03/offset-depth-distance-and-within.html>
> is a classic blog post from Joel Esler that touches on it (for Snort, but
> Suricata is the same in this regard).
>
> Hope that helps,
> -Travis
>
> On Wed, Jun 13, 2018 at 2:39 PM, Russell Fulton <r.fulton at auckland.ac.nz>
> wrote:
>
>> Hi
>>
>> I have been trying to modify an existing rule for crypto miners to cope
>> with traffic from what is presumably a related mining script.   The issue
>> is that the json has items in a different order.
>>
>> I have a pcap of the new traffic from Moloch and I have created a cut
>> down config file which loads a single file with the new rule in it:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>> Cryptocurrency Miner Checkin"; )
>>
>>
>> sensors at secmontst01:~$ suricata -c suri-test.yaml -r
>> ~rful011/180612-zj4MWV_96udJEZLpZ-rqyYu9.pcap
>> Initialization syslog logging with format "[%i] <%d> -- ".
>> 13/6/2018 -- 15:20:23 - <Notice> - This is Suricata version 4.0.4 RELEASE
>> 13/6/2018 -- 15:20:23 - <Info> - CPUs/cores online: 16
>> 13/6/2018 -- 15:20:23 - <Info> - Protocol detection and parser disabled
>> for smb protocol.
>> 13/6/2018 -- 15:20:23 - <Info> - Protocol detection and parser disabled
>> for dcerpc protocol.
>> 13/6/2018 -- 15:20:23 - <Info> - Protocol detection and parser disabled
>> for dcerpc protocol.
>> 13/6/2018 -- 15:20:23 - <Info> - No 'host-mode': suricata is in IDS mode,
>> using default setting 'sniffer-only'
>> 13/6/2018 -- 15:20:23 - <Info> - 1 rule files processed. 1 rules
>> successfully loaded, 0 rules failed
>> 13/6/2018 -- 15:20:23 - <Info> - Threshold config parsed: 0 rule(s) found
>> 13/6/2018 -- 15:20:23 - <Info> - 1 signatures processed. 0 are IP-only
>> rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are
>> decoder event only
>> 13/6/2018 -- 15:20:23 - <Info> - Syslog output initialized
>> 13/6/2018 -- 15:20:23 - <Info> - reading pcap file
>> /home/rful011/180612-zj4MWV_96udJEZLpZ-rqyYu9.pcap
>> 13/6/2018 -- 15:20:24 - <Notice> - all 17 packet processing threads, 2
>> management threads initialized, engine started.
>> 13/6/2018 -- 15:20:24 - <Info> - pcap file end of file reached (pcap err
>> code 0)
>> 13/6/2018 -- 15:20:24 - <Notice> - Signal Received.  Stopping engine.
>> 13/6/2018 -- 15:20:24 - <Info> - time elapsed 0.402s
>> 13/6/2018 -- 15:20:24 - <Notice> - Pcap-file module read 36 packets, 5452
>> bytes
>> 13/6/2018 -- 15:20:24 - <Info> - Alerts: 0
>> 13/6/2018 -- 15:20:24 - <Info> - cleaning up signature grouping
>> structure… complete
>>
>>
>> As ususal I appear to be missing something!   It is a long time since I
>> dabbled in rule writing.
>>
>>
>> Related to this can I have a bunch of content items that will match even
>> if the items occur in a different order in the traffic?  For example:
>>
>> {"id":"1","jsonrpc":"2.0","method":"login","params":{"agent"
>> :"MinerGateWin/8.1","login”: ……
>>
>> the current rule expects the “login” before the “agent” in the params
>> hash.   In the original rule the content after “params” is “login”;
>> distance 0 then content “agent” …
>>
>> From my reading of the manual I can’t see a way of writing a single rule
>> which will match when to params are in any order.  I.e.  anchor all the
>> searches at the beginning of hash.   My understanding is that distance
>> always relates to previous match.  Correct ?
>>
>> Russell
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
>
> --
> PGP: ABE625E6
> keybase.io/travisbgreen
>



-- 
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180613/e41310d5/attachment.html>

More information about the Oisf-users mailing list