Project

General

Profile

Actions

Bug #611

closed

fp: rule with ports matching on portless proto

Added by Peter Manev about 12 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

using - 1.4dev (rev 2ab6292)
with yaml vars like so :

address-groups:

HOME_NET: "[192.168.0.0/16]"

EXTERNAL_NET: "any"

HTTP_SERVERS: "$HOME_NET"

SMTP_SERVERS: "$HOME_NET"

SQL_SERVERS: "$HOME_NET"

DNS_SERVERS: "$HOME_NET"

TELNET_SERVERS: "$HOME_NET"

AIM_SERVERS: "$EXTERNAL_NET"

DNP3_SERVER: "$HOME_NET"

DNP3_CLIENT: "$HOME_NET"

MODBUS_CLIENT: "$HOME_NET"

MODBUS_SERVER: "$HOME_NET"

ENIP_CLIENT: "$HOME_NET"

ENIP_SERVER: "$HOME_NET"

  1. Holds the port group vars that would be passed in a Signature.
  2. These would be retrieved during the Signature port parsing stage.
    port-groups:

#HTTP_PORTS: "[80,81,311,591,593,901,1220,1414,1741,1830,2301,2381]"
HTTP_PORTS: "[80,81]"
#"[80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9000,9080,9090,9091,9443,9999,11371,55555]"

#SHELLCODE_PORTS: "!80"
SHELLCODE_PORTS: "[21,22,80,11111,22222]"

ORACLE_PORTS: "[1521,1024]"

SSH_PORTS: "[22,222]"

FTP_PORTS: "[21,2100,3535]"

SIP_PORTS: "[5060,5061,5600]"

FILE_DATA_PORTS: "[110,143]"

GTP_PORTS: "[2123,2152,3386]"

with the rule -

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)

with the attached pcap , alerting about 64 times on 125 packets containing "CCCC...." - but i think we should not alert , because the SHELLCODE_PORTS var does not match any of the pcap ports.

Furhter more (some variations of the rule with the same pcap) -

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 64 time

alert ip any any -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts, above - 124 times

alert ip any $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 64 times

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7;)
alerts 124 times

It seems that there is a problem with the parsing of the $EXTERNAL_NET $SHELLCODE_PORTS variables.

just for comparison - Snort 2.9.3.1 with the same pcap and the same original rule alerts 124 times

thanks


Files

Actions #1

Updated by Victor Julien about 12 years ago

  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 1.4
Actions #2

Updated by Victor Julien about 12 years ago

With this sig:

alert ip any any -> any [36177,33760] (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101391; rev:7;)

I get 124 hits. In other words, all packets except one fragment.

With this sig:

alert ip any [36177,33760] -> any any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)

I get 64 hits. In other words, all ICMP error packets.

With this sig:

alert udp any any -> any [36177,33760] (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101392; rev:7;)

I get 60 hits. All UDP packets.

So the question is, which is right?

Actions #3

Updated by Victor Julien about 12 years ago

  • Target version changed from 1.4 to 2.0rc2
Actions #4

Updated by Peter Manev about 12 years ago

but why is there a match with

alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)

if none of the $SHELLCODE_PORTS defined match the any of the src ports in the pcap?

thanks

Actions #5

Updated by Victor Julien about 11 years ago

  • Assignee changed from Victor Julien to Peter Manev

Peter, is this ticket still valid?

Actions #6

Updated by Peter Manev almost 11 years ago

Yes, it is still valid.

Actions #7

Updated by Victor Julien almost 11 years ago

  • Assignee changed from Peter Manev to Victor Julien
Actions #8

Updated by Victor Julien almost 11 years ago

  • Subject changed from Address-Group and Port-Group variables parsing in yaml to fp: rule with ports matching on portless proto
Actions #9

Updated by Victor Julien almost 11 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF