[Oisf-users] suricata: parsing problem

Jorge Aranda Siguero jorge_aranda at innotecsystem.com
Wed Sep 26 14:39:34 UTC 2018 

Good afternoon,

I have a strange behavior with a suricata deployment and I am not able
to fix it. 

As written below, any payload is being generated in the unified file
that matches the specific rule but despite of this fact it is correctly
working with other rules:
You can see two examples, the first on with the wrong behavior and the
second one with the right:


*FIRST EXAMPLE (we are not being given the "if:..." in the rule) *

(Event)
        sensor id: 0    event id: 453859        event second:
1537902695        event microsecond: 9232
        sig id: 42110   gen id: 1       revision: 1      classification: 12
        priority: 1     ip source: XXX.XXX.XXX.XXX        ip
destination: XXX.XXX.XXX.XXX
        src port: 60875 dest port: 80   protocol: 6     impact_flag: 0 
blocked: 0

Packet
        sensor id: 0    event id: 453859        event second: 1537902695
        packet second: 1537902695       packet microsecond: 9232
        linktype: 12    packet_length: 40
[    0] 45 00 00 28 00 00 00 00 40 06 DE F2 2F 64 1E B3  E..(.... at .../d..
[   16] D4 80 79 46 ED CB 00 50 AF 40 4A 0F 20 75 F3 BF  ..yF...P. at J. u..
[   32] 50 10 0A 00 0E 56 00 00                          P....V..

(Event)
        sensor id: 0    event id: 453860        event second:
1537902695        event microsecond: 9232
        sig id: 2024107 gen id: 1       revision: 2      classification: 9
        priority: 1     ip source: XXX.XXX.XXX.XXX        ip
destination: XXX.XXX.XXX.XXX
        src port: 60875 dest port: 80   protocol: 6     impact_flag: 0 
blocked: 0

Packet
        sensor id: 0    event id: 453860        event second: 1537902695
1        packet second: 1537902695       packet microsecond: 9232
        linktype: 12    packet_length: 40
[    0] 45 00 00 28 00 00 00 00 40 06 DE F2 2F 64 1E B3  E..(.... at .../d..
[   16] D4 80 79 46 ED CB 00 50 AF 40 4A 0F 20 75 F3 BF  ..yF...P. at J. u..
[   32] 50 10 0A 00 0E 56 00 00                          P....V..


*SECOND EXAMPLE (the if: generated can be observed in the rule match)*
*
*
(Event)
        sensor id: 0    event id: 11162 event second: 1537926001       
event microsecond: 822266
        sig id: 42110   gen id: 1       revision: 1      classification: 12
        priority: 1     ip source: XXX.XXX.XXX.XXX        ip
destination: XXX.XXX.XXX.XXX
        src port: 61075 dest port: 80   protocol: 6     impact_flag: 0 
blocked: 0

Packet
        sensor id: 0    event id: 11162 event second: 1537926001
        packet second: 1537926001       packet microsecond: 822266
        linktype: 1     packet_length: 1514
[    0] 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
[   16] 05 DC 00 00 00 00 00 06 BC 64 67 4C 55 CF D4 80  .........dgLU...
[   32] 67 1C EE 93 00 50 00 00 00 00 00 00 00 00 50 00  g....P........P.
[   48] 00 00 BA 20 00 00 50 52 4F 50 46 49 4E 44 20 2F  ... ..PROPFIND /
[   64] 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A   HTTP/1.1..Host:
[   80] 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 43 6F 6E 6E   localhost..Conn
[   96] 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 43  ection: Close..C
[  112] 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30  ontent-Length: 0
[  128] 0D 0A 49 66 3A 20 3C 68 74 74 70 3A 2F 2F 6C 6F  ..*If: *<http://lo
[  144] 63 61 6C 68 6F 73 74 2F 61 61 61 61 61 61 61 E6  calhost/aaaaaaa.
[  160] BD A8 E7 A1 A3 E7 9D A1 E7 84 B3 E6 A4 B6 E4 9D  ................
[  176] B2 E7 A8 B9 E4 AD B7 E4 BD B0 E7 95 93 E7 A9 8F  ................
[  192] E4 A1 A8 E5 99 A3 E6 B5 94 E6 A1 85 E3 A5 93 E5  ................
[  208] 81 AC E5 95 A7 E6 9D A3 E3 8D A4 E4 98 B0 E7 A1  ................
[  224] 85 E6 A5 92 E5 90 B1 E4 B1 98 E6 A9 91 E7 89 81  ................
.
.
.
.

(Event)
        sensor id: 0    event id: 11163 event second: 1537926001       
event microsecond: 822266
        sig id: 2024107 gen id: 1       revision: 2      classification: 9
        priority: 1     ip source: XXX.XXX.XXX.XXX        ip
destination: XXX.XXX.XXX.XXX
        src port: 61075 dest port: 80   protocol: 6     impact_flag: 0 
blocked: 0

Packet
        sensor id: 0    event id: 11163 event second: 1537926001
        packet second: 1537926001       packet microsecond: 822266
        linktype: 1     packet_length: 1514
[    0] 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00  ..............E.
[   16] 05 DC 00 00 00 00 00 06 BC 64 67 4C 55 CF D4 80  .........dgLU...
[   32] 67 1C EE 93 00 50 00 00 00 00 00 00 00 00 50 00  g....P........P.
[   48] 00 00 BA 20 00 00 50 52 4F 50 46 49 4E 44 20 2F  ... ..PROPFIND /
[   64] 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A   HTTP/1.1..Host:
[   80] 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 43 6F 6E 6E   localhost..Conn
[   96] 65 63 74 69 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 43  ection: Close..C
[  112] 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30  ontent-Length: 0
[  128] 0D 0A 49 66 3A 20 3C 68 74 74 70 3A 2F 2F 6C 6F  ..If: <http://lo
[  144] 63 61 6C 68 6F 73 74 2F 61 61 61 61 61 61 61 E6  calhost/aaaaaaa.
[  160] BD A8 E7 A1 A3 E7 9D A1 E7 84 B3 E6 A4 B6 E4 9D  ................
[  176] B2 E7 A8 B9 E4 AD B7 E4 BD B0 E7 95 93 E7 A9 8F  ................
[  192] E4 A1 A8 E5 99 A3 E6 B5 94 E6 A1 85 E3 A5 93 E5  ................
[  208] 81 AC E5 95 A7 E6 9D A3 E3 8D A4 E4 98 B0 E7 A1  ................
[  224] 85 E6 A5 92 E5 90 B1 E4 B1 98 E6 A9 91 E7 89 81  ................
[  240] E4 88 B1 E7 80 B5 E5 A1 90 E3 99 A4 E6 B1 87 E3  ................
.
.
.

The rule matches we are being given are the following two (first of all
is one of the right example and the second one is the incorrectly
generated example)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt";
flow:to_server,established; content:"PROPFIND"; http_method;
content:"If:"; fast_pattern; http_header; isdataat:500; content:!"|0D
0A|"; within:500; http_header; metadata:service http;
reference:bugtraq,97127; reference:cve,2017-7269;
classtype:attempted-admin; sid:42110; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BROWSER-PLUGINS Microsoft Internet Explorer DDS Library Shape
Control ActiveX object access"; flow:to_client,established; file_data;
content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; fast_pattern:only;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F/si";
metadata:service http; reference:cve,2005-2127;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-052
<http://technet.microsoft.com/en-us/security/bulletin/MS05-052>;
classtype:attempted-user; sid:4211; rev:15;)


Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180926/5d1bb821/attachment.html>

More information about the Oisf-users mailing list