Bug #788: file_data relative positive and negative match at same offset problem - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #788

closed

file_data relative positive and negative match at same offset problem

Added by Pedro Marinho over 11 years ago. Updated over 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Anoop Saldanha

Target version:

1.4.2

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hello Gentlemen,

I've built this signature last week. It is generating an alert where it shouldn't False Positive. Maybe it is a problem with suricata file_data because

#original signature that False Positives
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; content:"CU"; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

#pcap attached shouldnotring.pcap

GET /jkzs.jpg HTTP/1.1
User-Agent: a5fb3a521043db2898c01f02c32f94f3.exe
Connection: Keep-Alive
Cache-Control: no-cache
Host: rh.adstim.com

HTTP/1.1 200 OK
Date: Fri, 05 Oct 2012 18:44:04 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 04 Oct 2012 08:19:03 GMT
ETag: "d01ced-4ac00-68754bc0"
Accept-Ranges: bytes
Content-Length: 306176
Connection: close
Content-Type: image/jpeg

~i3333333333cv33.243333333333333.3..82333.433{233333o.:33#33

#other attempts

#this way it does False Positive
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; file_data; content:"CU"; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

#this way it does False Negative
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; content:"|0D 0A 0D 0A|CU"; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

#This way it don't False Positive or False Negative it works as expected.
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; content:!"|0D 0A 0D 0A FF D8 FF|"; content:"|0D 0A 0D 0A|CU"; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

#this way it does False Positive
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; content:!"|FF D8 FF|"; file_data; within:3; content:"CU"; file_data; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )

Files

suricata.yaml (30.4 KB) suricata.yaml

Pedro Marinho, 04/19/2013 01:05 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #788

file_data relative positive and negative match at same offset problem

Updated by Pedro Marinho over 11 years ago

Updated by Will Metcalf over 11 years ago

Updated by Will Metcalf over 11 years ago

Updated by Anoop Saldanha over 11 years ago

Updated by Pedro Marinho over 11 years ago

Updated by Victor Julien over 11 years ago

Updated by Anoop Saldanha over 11 years ago

Updated by Anoop Saldanha over 11 years ago

Updated by Victor Julien over 11 years ago