Bug #283
closed
Invalid trigger of rule 1:2008100:10 (running Suricata 1.0.3 on FC14)
Added by John Pile over 13 years ago.
Updated over 12 years ago.
Description
Rule 2008100 is being triggered when I access a management page on a Splunk server in my LAN:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; content:"/cfg.bin"; nocase; http_uri; fast_pattern; content:"GET"; http_method; nocase; content:"no-cache|0d 0a|"; http_header; nocase; pcre:"/\/cfg\.bin$/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2008100; rev:10;)
Alarm:
04/18/11-19:37:56.330768 [**] [1:2008100:10] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} 192.168.11.160:8000 -> 167.235.7.71:36388 [Xref => http://doc.emergingthreats.net/2008100][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG]
I'm unable to find the string "cfg" (case insensitive) within the TCP conversation that includes the packet matching that timestamp. I masked out a password from the enclosed content... it didn't contain that string either ;-).
Files
- Status changed from New to Assigned
- Assignee set to Peter Manev
- Target version deleted (
1.0.2)
I'm including the ruleset I used, in case one rule was fired but a different rule was reported.
I reran with 2008100 as the only rule, and it is still triggered when I open the same page.
I generated a pcap from the Wireshark text dump.
Continuing to explore the issue...
I tried to reproduce it, but I could not trigger an alert with the same rule.
@John, could you please try to reproduce it from the pcap(offline) that I generated from your wireshark txt file and upload your yaml.conf (if it is ok).
Thanks
cd /etc/suricata/rules
mv snort.rules snort.rules.bak
grep 2008100 snort.rules.bak >snort.rules
suricata -c /etc/suricata/suricata.yaml -r /tmp/issue283.pcap
The above did not trigger an alert. However, when I run suricata against eth0, I can consistently reproduce the alarm.
suricata -c /etc/suricata/suricata.yaml -i eth0
I tried recapturing using Wireshark (as root) and reopened the Splunk page, triggering the same rule. I saved that session to a .pcap file using "Wireshark/tcpdump/... - libpcap" format. On replay of that file, no alarm was triggered.
I'm including a copy of the config.log in case there's anything of interest in how this was compiled.
Thanks John,
I get no alerts while replaying the pcap file.
I will look into the config and log files and update.
Thanks
I'm now able to reproduce the alert on a replay with 2008100 as the only rule loaded using the enclosed trigger.pcap. It triggers the alarm twice, as shown below.
04/29/11-15:50:46.072001 [**] [1:2008100:10] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} 192.168.11.31:8000 -> 167.235.7.71:39956 [Xref => http://doc.emergingthreats.net/2008100][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG]
[root@c001-007470 suricata]# cat /etc/suricata/rules/snort.rules
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; content:"/cfg.bin"; nocase; http_uri; fast_pattern; content:"GET"; http_method; nocase; content:"no-cache|0d 0a|"; http_header; nocase; pcre:"/\/cfg\.bin$/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2008100; rev:10;)
Did a couple of tests and used the yaml conf file provided - and can confirm that this bug is valid for Suricata 1.0.3 BUT NOT if you compile Suricata from GIT.
If you use Suricata from git the alert is NOT triggered - which is only appropriate I believe.
- Status changed from Assigned to Closed
Also available in: Atom
PDF