[Oisf-users] suricata: parsing problem
Jorge Aranda Siguero
jorge_aranda at innotecsystem.com
Wed Sep 26 14:39:34 UTC 2018
Good afternoon,
I have a strange behavior with a suricata deployment and I am not able
to fix it.
As written below, any payload is being generated in the unified file
that matches the specific rule but despite of this fact it is correctly
working with other rules:
You can see two examples, the first on with the wrong behavior and the
second one with the right:
*FIRST EXAMPLE (we are not being given the "if:..." in the rule) *
(Event)
sensor id: 0 event id: 453859 event second:
1537902695 event microsecond: 9232
sig id: 42110 gen id: 1 revision: 1 classification: 12
priority: 1 ip source: XXX.XXX.XXX.XXX ip
destination: XXX.XXX.XXX.XXX
src port: 60875 dest port: 80 protocol: 6 impact_flag: 0
blocked: 0
Packet
sensor id: 0 event id: 453859 event second: 1537902695
packet second: 1537902695 packet microsecond: 9232
linktype: 12 packet_length: 40
[ 0] 45 00 00 28 00 00 00 00 40 06 DE F2 2F 64 1E B3 E..(.... at .../d..
[ 16] D4 80 79 46 ED CB 00 50 AF 40 4A 0F 20 75 F3 BF ..yF...P. at J. u..
[ 32] 50 10 0A 00 0E 56 00 00 P....V..
(Event)
sensor id: 0 event id: 453860 event second:
1537902695 event microsecond: 9232
sig id: 2024107 gen id: 1 revision: 2 classification: 9
priority: 1 ip source: XXX.XXX.XXX.XXX ip
destination: XXX.XXX.XXX.XXX
src port: 60875 dest port: 80 protocol: 6 impact_flag: 0
blocked: 0
Packet
sensor id: 0 event id: 453860 event second: 1537902695
1 packet second: 1537902695 packet microsecond: 9232
linktype: 12 packet_length: 40
[ 0] 45 00 00 28 00 00 00 00 40 06 DE F2 2F 64 1E B3 E..(.... at .../d..
[ 16] D4 80 79 46 ED CB 00 50 AF 40 4A 0F 20 75 F3 BF ..yF...P. at J. u..
[ 32] 50 10 0A 00 0E 56 00 00 P....V..
*SECOND EXAMPLE (the if: generated can be observed in the rule match)*
*
*
(Event)
sensor id: 0 event id: 11162 event second: 1537926001
event microsecond: 822266
sig id: 42110 gen id: 1 revision: 1 classification: 12
priority: 1 ip source: XXX.XXX.XXX.XXX ip
destination: XXX.XXX.XXX.XXX
src port: 61075 dest port: 80 protocol: 6 impact_flag: 0
blocked: 0
Packet
sensor id: 0 event id: 11162 event second: 1537926001
packet second: 1537926001 packet microsecond: 822266
linktype: 1 packet_length: 1514
[ 0] 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E.
[ 16] 05 DC 00 00 00 00 00 06 BC 64 67 4C 55 CF D4 80 .........dgLU...
[ 32] 67 1C EE 93 00 50 00 00 00 00 00 00 00 00 50 00 g....P........P.
[ 48] 00 00 BA 20 00 00 50 52 4F 50 46 49 4E 44 20 2F ... ..PROPFIND /
[ 64] 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A HTTP/1.1..Host:
[ 80] 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 43 6F 6E 6E localhost..Conn
[ 96] 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 43 ection: Close..C
[ 112] 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 ontent-Length: 0
[ 128] 0D 0A 49 66 3A 20 3C 68 74 74 70 3A 2F 2F 6C 6F ..*If: *<http://lo
[ 144] 63 61 6C 68 6F 73 74 2F 61 61 61 61 61 61 61 E6 calhost/aaaaaaa.
[ 160] BD A8 E7 A1 A3 E7 9D A1 E7 84 B3 E6 A4 B6 E4 9D ................
[ 176] B2 E7 A8 B9 E4 AD B7 E4 BD B0 E7 95 93 E7 A9 8F ................
[ 192] E4 A1 A8 E5 99 A3 E6 B5 94 E6 A1 85 E3 A5 93 E5 ................
[ 208] 81 AC E5 95 A7 E6 9D A3 E3 8D A4 E4 98 B0 E7 A1 ................
[ 224] 85 E6 A5 92 E5 90 B1 E4 B1 98 E6 A9 91 E7 89 81 ................
.
.
.
.
(Event)
sensor id: 0 event id: 11163 event second: 1537926001
event microsecond: 822266
sig id: 2024107 gen id: 1 revision: 2 classification: 9
priority: 1 ip source: XXX.XXX.XXX.XXX ip
destination: XXX.XXX.XXX.XXX
src port: 61075 dest port: 80 protocol: 6 impact_flag: 0
blocked: 0
Packet
sensor id: 0 event id: 11163 event second: 1537926001
packet second: 1537926001 packet microsecond: 822266
linktype: 1 packet_length: 1514
[ 0] 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00 ..............E.
[ 16] 05 DC 00 00 00 00 00 06 BC 64 67 4C 55 CF D4 80 .........dgLU...
[ 32] 67 1C EE 93 00 50 00 00 00 00 00 00 00 00 50 00 g....P........P.
[ 48] 00 00 BA 20 00 00 50 52 4F 50 46 49 4E 44 20 2F ... ..PROPFIND /
[ 64] 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A HTTP/1.1..Host:
[ 80] 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 43 6F 6E 6E localhost..Conn
[ 96] 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 43 ection: Close..C
[ 112] 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 ontent-Length: 0
[ 128] 0D 0A 49 66 3A 20 3C 68 74 74 70 3A 2F 2F 6C 6F ..If: <http://lo
[ 144] 63 61 6C 68 6F 73 74 2F 61 61 61 61 61 61 61 E6 calhost/aaaaaaa.
[ 160] BD A8 E7 A1 A3 E7 9D A1 E7 84 B3 E6 A4 B6 E4 9D ................
[ 176] B2 E7 A8 B9 E4 AD B7 E4 BD B0 E7 95 93 E7 A9 8F ................
[ 192] E4 A1 A8 E5 99 A3 E6 B5 94 E6 A1 85 E3 A5 93 E5 ................
[ 208] 81 AC E5 95 A7 E6 9D A3 E3 8D A4 E4 98 B0 E7 A1 ................
[ 224] 85 E6 A5 92 E5 90 B1 E4 B1 98 E6 A9 91 E7 89 81 ................
[ 240] E4 88 B1 E7 80 B5 E5 A1 90 E3 99 A4 E6 B1 87 E3 ................
.
.
.
The rule matches we are being given are the following two (first of all
is one of the right example and the second one is the incorrectly
generated example)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt";
flow:to_server,established; content:"PROPFIND"; http_method;
content:"If:"; fast_pattern; http_header; isdataat:500; content:!"|0D
0A|"; within:500; http_header; metadata:service http;
reference:bugtraq,97127; reference:cve,2017-7269;
classtype:attempted-admin; sid:42110; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BROWSER-PLUGINS Microsoft Internet Explorer DDS Library Shape
Control ActiveX object access"; flow:to_client,established; file_data;
content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si";
metadata:service http; reference:cve,2005-2127;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052
<http://technet.microsoft.com/en-us/security/bulletin/MS05-052>;
classtype:attempted-user; sid:4211; rev:15;)
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180926/5d1bb821/attachment.html>
More information about the Oisf-users
mailing list