Bug #611
closedfp: rule with ports matching on portless proto
Description
using - 1.4dev (rev 2ab6292)
with yaml vars like so :
address-groups:
HOME_NET: "[192.168.0.0/16]"
EXTERNAL_NET: "any"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
- Holds the port group vars that would be passed in a Signature.
- These would be retrieved during the Signature port parsing stage.
port-groups:#HTTP_PORTS: "[80,81,311,591,593,901,1220,1414,1741,1830,2301,2381]"
HTTP_PORTS: "[80,81]"
#"[80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9000,9080,9090,9091,9443,9999,11371,55555]"#SHELLCODE_PORTS: "!80"
SHELLCODE_PORTS: "[21,22,80,11111,22222]"ORACLE_PORTS: "[1521,1024]"
SSH_PORTS: "[22,222]"
FTP_PORTS: "[21,2100,3535]"
SIP_PORTS: "[5060,5061,5600]"
FILE_DATA_PORTS: "[110,143]"
GTP_PORTS: "[2123,2152,3386]"
with the rule -
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
with the attached pcap , alerting about 64 times on 125 packets containing "CCCC...." - but i think we should not alert , because the SHELLCODE_PORTS var does not match any of the pcap ports.
Furhter more (some variations of the rule with the same pcap) -
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 64 timealert ip any any -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts, above - 124 timesalert ip any $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 64 timesalert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 124 times
It seems that there is a problem with the parsing of the $EXTERNAL_NET $SHELLCODE_PORTS variables.
just for comparison - Snort 2.9.3.1 with the same pcap and the same original rule alerts 124 times
thanks
Files
Updated by Victor Julien about 12 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 1.4
Updated by Victor Julien about 12 years ago
With this sig:
alert ip any any -> any [36177,33760] (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101391; rev:7;)
I get 124 hits. In other words, all packets except one fragment.
With this sig:
alert ip any [36177,33760] -> any any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
I get 64 hits. In other words, all ICMP error packets.
With this sig:
alert udp any any -> any [36177,33760] (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101392; rev:7;)
I get 60 hits. All UDP packets.
So the question is, which is right?
Updated by Victor Julien about 12 years ago
- Target version changed from 1.4 to 2.0rc2
Updated by Peter Manev about 12 years ago
but why is there a match with
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
if none of the $SHELLCODE_PORTS defined match the any of the src ports in the pcap?
thanks
Updated by Victor Julien about 11 years ago
- Assignee changed from Victor Julien to Peter Manev
Peter, is this ticket still valid?
Updated by Victor Julien almost 11 years ago
- Assignee changed from Peter Manev to Victor Julien
Updated by Victor Julien almost 11 years ago
- Subject changed from Address-Group and Port-Group variables parsing in yaml to fp: rule with ports matching on portless proto
Updated by Victor Julien almost 11 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100