Project

General

Profile

Actions
Copy link

Bug #2216

closed

Rule firing where it shouldn`t

Added by Pedro Marinho about 7 years ago. Updated about 7 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Victor Julien
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello Gentlemen,

I have a wonderful sig to Emotet that unfortunately is hitting where it shouldn`t.

alert http $EXTERNAL_NET [443,7080,8080,80] -> $HOME_NET any (msg:"ETPRO TROJAN W32/Emotet.v4 Checkin Fake 404 Payload Response"; flow:established,from_server; content:"404"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; pcre:"/Content-Length\x3a\x20\d{6}/Hmi"; file_data; content:!"<html"; nocase; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; metadata: former_category TROJAN; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:trojan-activity; sid:2828007; rev:2; metadata:created_at 2017_09_19, malware_family Emotet, updated_at 2017_09_19;)

Files

Download all files
2828007-1.pcap (610 KB) 2828007-1.pcap Pedro Marinho, 09/20/2017 01:50 PM
2828007-2.pcap (158 KB) 2828007-2.pcap Pedro Marinho, 09/20/2017 01:50 PM
wireeshark.jpg (330 KB) wireeshark.jpg Pedro Marinho, 09/26/2017 03:08 PM
Actions
Copy link
 #1

Updated by Andreas Herz about 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
  • Private changed from No to Yes
Actions
Copy link
 #2

Updated by Andreas Herz about 7 years ago

  • Private changed from Yes to No
Actions
Copy link
 #3

Updated by Victor Julien about 7 years ago

  • Description updated (diff)
  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 70
Actions
Copy link
 #4

Updated by Francis Trudeau about 7 years ago

Here is a simplified rule that hits on 2028007-2, but shouldn't as well:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Match Test"; content:"404"; http_stat_code; file_data; content:!"<html"; classtype:trojan-activity; sid:30301; rev:1;)

Looking at that pcap in Wireshark, it looks malformed. Wireshark doesn't recognize the 200 stat code in that stream. Display filter "http.response.code == 200" comes back blank. Not sure if that's related, but it's strange.

Actions
Copy link
 #5

Updated by Pedro Marinho about 7 years ago

There is nothing to do with Wireshark. My Wireshark does recognize the 200 stat code. I am running Wireshark 2.4.1 (v2.4.1-0-gf42a0d2)

Actions
Copy link
 #7

Updated by Victor Julien about 7 years ago

  • Status changed from Assigned to Rejected
  • Target version deleted (70)

This is behaving as expected.

What happens is that the file_data buffer is large, larger than the initial inspection limit:

           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb

This means that after the initial 40k, the body is inspected in 16k chunks. In one of the chunks there is no occurence of the '<html' pattern, so it matches.

This can be shown by increasing the "response-body-minimal-inspect-size" setting to 100k. This makes the issue go away.

If you enable EVE's "http-body-printable" you will see that the matching data is indeed not the start of the body:

      types:
        - alert:
            ...
            http-body-printable: yes


cat eve.json | jq -c 'select(.alert)|.http.http_response_body_printable'|head -c 64
-custom">
                            <a href="http://www.automo

The easiest way to deal with this is to use a depth. The depth is enforced against the entire body, so not per chunk. So a depth of 1024, can only possibly match against the first 1024 bytes of the initial chunk.

Actions
Copy link
 #8

Updated by Pedro Marinho about 7 years ago

Thanks Victor !

I confirm it does work as expected after adding a depth:1024 content modifier at the negated content to <html

alert http $EXTERNAL_NET [443,7080,8080,80] > $HOME_NET any (msg:"ETPRO TROJAN W32/Emotet.v4 Checkin Fake 404 Payload Response"; flow:established,from_server; content:"404"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; pcre:"/Content-Length\x3a\x20\d{6}/Hmi"; file_data; content:!"<html"; nocase; depth:1024; pcre:"/^[\x20\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; metadata: former_category TROJAN; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:trojan-activity; sid:2828007; rev:2; metadata:created_at 2017_09_19, malware_family Emotet, updated_at 2017_09_19;)

pedro@millenium-falcon:~/suricataScada/oisf$ sudo bin/suricata c suricata.yaml -r /media/sf_SharedVM/2828007-1.pcap
[2552] 9/10/2017 - 13:46:02 - (suricata.c:1005) <Notice> (SCPrintVersion) -- This is Suricata version 3.2dev (rev f9f5e8a)
[2552] 9/10/2017 -- 13:46:02 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management threads initialized, engine started.
[2552] 9/10/2017 -- 13:46:02 - (suricata.c:2621) <Notice> (main) -- Signal Received. Stopping engine.
[2553] 9/10/2017 -- 13:46:03 - (source-pcap-file.c:388) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 828 packets, 611444 bytes
pedro@millenium-falcon:~/suricataScada/oisf$ tail var/log/suricata/fast.log

pedro@millenium-falcon:~/suricataScada/oisf$

Actions
Copy link

Also available in: Atom PDF