Project

General

Profile

Actions

Bug #788

closed

file_data relative positive and negative match at same offset problem

Added by Pedro Marinho almost 12 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello Gentlemen,

I've built this signature last week. It is generating an alert where it shouldn't False Positive. Maybe it is a problem with suricata file_data because

#original signature that False Positives
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; content:"CU"; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

#pcap attached shouldnotring.pcap

GET /jkzs.jpg HTTP/1.1
User-Agent: a5fb3a521043db2898c01f02c32f94f3.exe
Connection: Keep-Alive
Cache-Control: no-cache
Host: rh.adstim.com

HTTP/1.1 200 OK
Date: Fri, 05 Oct 2012 18:44:04 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 04 Oct 2012 08:19:03 GMT
ETag: "d01ced-4ac00-68754bc0"
Accept-Ranges: bytes
Content-Length: 306176
Connection: close
Content-Type: image/jpeg

~i3333333333cv33.243333333333333.3..82333.433{233333o.:33#33

#other attempts

#this way it does False Positive
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; file_data; content:"CU"; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

#this way it does False Negative
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; content:"|0D 0A 0D 0A|CU"; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

#This way it don't False Positive or False Negative it works as expected.
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; content:!"|0D 0A 0D 0A FF D8 FF|"; content:"|0D 0A 0D 0A|CU"; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

#this way it does False Positive
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; content:!"|FF D8 FF|"; file_data; within:3; content:"CU"; file_data; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )


Files

suricata.yaml (30.4 KB) suricata.yaml Pedro Marinho, 04/19/2013 01:05 PM
Actions #1

Updated by Pedro Marinho almost 12 years ago

  • File shouldring.pcap added

the pcap where it should ring

Actions #2

Updated by Will Metcalf almost 12 years ago

  • File deleted (shouldnotring.pcap)
Actions #3

Updated by Will Metcalf almost 12 years ago

  • File deleted (shouldring.pcap)
Actions #4

Updated by Anoop Saldanha almost 12 years ago

  • Assignee set to Anoop Saldanha
  • Target version set to 1.4.2

Unable to reproduce this.

Actions #5

Updated by Pedro Marinho over 11 years ago

this sig should not ring here because there is not a "CU" depth:2; at file_data

alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; content:"CU"; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )
15:44:00.661349 IP 80.79.116.59.http > 10.0.2.15.boinc-client: Flags [P.], seq 1:1449, ack 147, win 8760, lengt
h 1448
    0x0000:  4508 05d0 000c 0000 4006 a47b 504f 743b  E.......@..{POt;
    0x0010:  0a00 020f 0050 0413 021f f202 be71 caac  .....P.......q..
    0x0020:  5018 2238 d337 0000 4854 5450 2f31 2e31  P."8.7..HTTP/1.1
    0x0030:  2032 3030 204f 4b0d 0a44 6174 653a 2046  .200.OK..Date:.F
    0x0040:  7269 2c20 3035 204f 6374 2032 3031 3220  ri,.05.Oct.2012.
    0x0050:  3138 3a34 343a 3034 2047 4d54 0d0a 5365  18:44:04.GMT..Se
    0x0060:  7276 6572 3a20 4170 6163 6865 2f32 2e32  rver:.Apache/2.2
    0x0070:  2e33 2028 4365 6e74 4f53 290d 0a4c 6173  .3.(CentOS)..Las
    0x0080:  742d 4d6f 6469 6669 6564 3a20 5468 752c  t-Modified:.Thu,
    0x0090:  2030 3420 4f63 7420 3230 3132 2030 383a  .04.Oct.2012.08:
    0x00a0:  3139 3a30 3320 474d 540d 0a45 5461 673a  19:03.GMT..ETag:
    0x00b0:  2022 6430 3163 6564 2d34 6163 3030 2d36  ."d01ced-4ac00-6
    0x00c0:  3837 3534 6263 3022 0d0a 4163 6365 7074  8754bc0"..Accept
    0x00d0:  2d52 616e 6765 733a 2062 7974 6573 0d0a  -Ranges:.bytes..
    0x00e0:  436f 6e74 656e 742d 4c65 6e67 7468 3a20  Content-Length:.
    0x00f0:  3330 3631 3736 0d0a 436f 6e6e 6563 7469  306176..Connecti
    0x0100:  6f6e 3a20 636c 6f73 650d 0a43 6f6e 7465  on:.close..Conte
    0x0110:  6e74 2d54 7970 653a 2069 6d61 6765 2f6a  nt-Type:.image/j
    0x0120:  7065 670d 0a0d 0a7e 6933 3333 3333 3333  peg....~i3333333
    0x0130:  3333 3363 7633 337f 3234 3333 3333 3333  333cv33.24333333
    0x0140:  3333 3333 3333 33d3 33bc b238 3233 3333  3333333.3..82333
    0x0150:  e934 3333 7b32 3333 3333 336f a33a 3333  .433{233333o.:33
    0x0160:  2333 333f 3333 3333 3373 3333 2333 3333  #33?33333s33#333

my suricata.yaml file is attached. This is Suricata version 2.0dev (rev ce99a07)

Actions #6

Updated by Victor Julien over 11 years ago

Confirmed, thanks Pedro.

@Anoop, could reproduce the issue with Pedro's yaml.

The problem is indeed that a later chunk is inspected with "depth" as if it's the start of the buffer. We should probably set a flag or count the offset or something when considering depth.

Actions #7

Updated by Anoop Saldanha over 11 years ago

Count the offset, yeah.

Actions #9

Updated by Victor Julien over 11 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Merged https://github.com/inliniac/suricata/pull/379 into the 1.4 branch.

Opened #817 for the master branch.

Actions

Also available in: Atom PDF