Actions
Bug #4875
openFN when using flowbits and ftp protocol.
Affected Versions:
Effort:
Difficulty:
Label:
Needs Suricata-Verify test
Description
When attempting use a flowbit pair of rules to detect a successful FTP login (rules below) results in a False Negative event when run against the attached redacted agent-tesla FTP exfil traffic.
# slightly modified to remove noalert;and swap src/dst host vars alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002850; classtype:not-suspicious; sid:2002850; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"ET POLICY FTP Login Successful"; flow:from_server,established; flowbits:isset,ET.ftp.user.login; flowbits:isnotset,ftp.user.logged_in; flowbits:set,ftp.user.logged_in; content:"230 "; depth:4; reference:url,doc.emergingthreats.net/2003410; classtype:misc-activity; sid:2003410; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Once removing the `flowbits:noalert;` from 2002850, it does produce an alert, so we know the flowbit is getting set. Removing the `flowbits:isset,ET.ftp.user.login;` from 2003410 results in both rules firing correct without the flowbit pairing
[
{
"timestamp": "2021-12-01T21:47:27.220504+0000",
"flow_id": 108851339681112,
"event_type": "alert",
"src_ip": "192.168.1.10",
"src_port": 49159,
"dest_ip": "5.10.40.50",
"dest_port": 21,
"proto": "TCP",
"metadata": {
"flowbits": [
"ET.ftp.user.login"
]
},
"community_id": "1:pqbfkyQt/WARC58fIBkgr6P1OxI=",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2002850,
"rev": 5,
"signature": "ET FTP USER login flowbit",
"category": "Not Suspicious Traffic",
"severity": 3,
"metadata": {
"created_at": [
"2010_07_30"
],
"updated_at": [
"2010_07_30"
]
}
},
"app_proto": "ftp",
"app_proto_tc": "failed",
"flow": {
"pkts_toserver": 10,
"pkts_toclient": 17,
"bytes_toserver": 697,
"bytes_toclient": 1597,
"start": "2021-12-01T21:47:27.220504+0000"
},
"payload": "VVNFUiByZWRhY3RAcmVkYWN0ZWR4LmNvbQ0KUEFTUyBYUkVEQUNURURYWA0KT1BUUyB1dGY4IG9uDQpQV0QNClRZUEUgSQ0KUEFTVg0KU1RPUiBQV19YWERPTUFJTlhYLlVTRVJOQU0tQ09NUFVURVJOQU1FWF9YWFhYX01NX0REX0hIX01NX1NTLmh0bWwNCg==",
"payload_printable": "USER redact@redactedx.com\r\nPASS XREDACTEDXX\r\nOPTS utf8 on\r\nPWD\r\nTYPE I\r\nPASV\r\nSTOR PW_XXDOMAINXX.USERNAM-COMPUTERNAMEX_XXXX_MM_DD_HH_MM_SS.html\r\n",
"stream": 1,
"packet": "RQAAKAAAAABABoviwKgBCgUKKDLABwAVxWLYpeWeMQZQMgoAQfoAAA==",
"packet_info": {
"linktype": 12
}
}
]
To troubleshoot the rule the following additional rules were created
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP USER login flowbit - TCP PKT"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login1; sid:1; rev:5;) alert tcp-pkt $EXTERNAL_NET 21 -> $HOME_NET any (msg:"ET POLICY FTP Login Successful - TCP PKT"; flow:established,to_client; flowbits:isset,ET.ftp.user.login1; flowbits:isnotset,ftp.user.logged_in; flowbits:set,ftp.user.logged_in; content:"230 "; depth:4; sid:2;)
which, while using the same basic logic utilize the tcp-pkt "protocol" instead of "ftp". The troubleshooting rules correctly cause sid:2 to alert.
Files
Updated by Victor Julien over 1 year ago
- Assignee set to OISF Dev
- Target version set to TBD
Actions