Project

General

Profile

Download (5.1 KB)

Bug #2263 » suri_dns_bug_info.md

Travis Green, 11/07/2017 12:15 PM

 

2826518

generates FP:

alert dns $HOME_NET any -> any any (msg:"ETPRO TROJAN DNS Query matching Cerber Domain Format (.top TLD)"; content:"|01|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|"; distance:1; within:1; content:"|06|"; distance:16; within:1; content:"|03|top|00|"; distance:6; within:5; dns_query; content:".top"; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/; classtype:trojan-activity; sid:2826518; rev:5;)

no FP:

alert dns $HOME_NET any -> any any (msg:"ETPRO TROJAN DNS Query matching Cerber Domain Format (.top TLD)"; content:"|01|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|"; distance:1; within:1; content:"|06|"; distance:16; within:1; content:"|03|top|00|"; distance:6; within:5; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/; classtype:trojan-activity; sid:12826518; rev:5;)

testruns

This is Suricata version 4.0.0 RELEASE
2/11/2017 -- 10:28:50 - <Notice> - This is Suricata version 4.0.0 RELEASE
2/11/2017 -- 10:28:50 - <Notice> - Ring buffer initialized with 2 files.
2/11/2017 -- 10:28:50 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
2/11/2017 -- 10:28:50 - <Notice> - Signal Received.  Stopping engine.
2/11/2017 -- 10:28:50 - <Notice> - Pcap-file module read 2 packets, 316 bytes
11/02/2017-10:14:22.471069  [**] [1:2826518:5] ETPRO TROJAN DNS Query matching Cerber Domain Format (.top TLD) FP [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP} 192.168.1.9:42818 -> 8.8.8.8:53

suricata 3.2.3 test

rm: cannot remove ‘/tmp/packet_stats.log’: No such file or directory
rm: cannot remove ‘/tmp/custom.log’: No such file or directory
rm: cannot remove ‘/tmp/http.log’: No such file or directory
rm: cannot remove ‘/tmp/files/*’: No such file or directory
This is Suricata version 3.2.3 RELEASE
2/11/2017 -- 10:28:50 - <Notice> - This is Suricata version 3.2.3 RELEASE
2/11/2017 -- 10:28:50 - <Notice> - Ring buffer initialized with 2 files.
2/11/2017 -- 10:28:50 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
2/11/2017 -- 10:28:50 - <Notice> - Signal Received.  Stopping engine.
2/11/2017 -- 10:28:50 - <Notice> - Pcap-file module read 2 packets, 316 bytes

suricata 3.0.2 test

This is Suricata version 3.0.2 RELEASE
2/11/2017 -- 10:28:50 - <Notice> - This is Suricata version 3.0.2 RELEASE
2/11/2017 -- 10:28:50 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Please use 'tls-store' in YAML to configure TLS storage
2/11/2017 -- 10:28:50 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
2/11/2017 -- 10:28:50 - <Notice> - Signal Received.  Stopping engine.
2/11/2017 -- 10:28:50 - <Notice> - Pcap-file module read 2 packets, 316 bytes

suricata 2.0.11 test

This is Suricata version 2.0.11 RELEASE
2/11/2017 -- 10:28:50 - <Notice> - This is Suricata version 2.0.11 RELEASE
2/11/2017 -- 10:28:50 - <Notice> - all 1 packet processing threads, 3 management threads initialized, engine started.
2/11/2017 -- 10:28:50 - <Notice> - Signal Received.  Stopping engine.
2/11/2017 -- 10:28:50 - <Notice> - Pcap-file module read 2 packets, 316 bytes

suricata 1.4.7 test

This is Suricata version 1.4.7 RELEASE
2/11/2017 -- 10:28:50 - <Info> - This is Suricata version 1.4.7 RELEASE
2/11/2017 -- 10:28:50 - <Info> - CPUs/cores online: 4
2/11/2017 -- 10:28:50 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dns" cannot be used in a signature
2/11/2017 -- 10:28:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> any any (msg:"ETPRO TROJAN DNS Query matching Cerber Domain Format (.top TLD) FP"; content:"|01|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|"; distance:1; within:1; content:"|06|"; distance:16; within:1; content:"|03|top|00|"; distance:6; within:5; dns_query; content:".top"; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/; " from file /etc/suricata/rules/suricata.rules at line 22
2/11/2017 -- 10:28:50 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dns" cannot be used in a signature
2/11/2017 -- 10:28:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> any any (msg:"ETPRO TROJAN DNS Query matching Cerber Domain Format (.top TLD) no FP"; content:"|01|"; depth:1; offset:2; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|10|"; distance:1; within:1; content:"|06|"; distance:16; within:1; content:"|03|top|00|"; distance:6; within:5; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/; classtype:trojan-activit" from file /etc/suricata/rules/suricata.rules at line 25
2/11/2017 -- 10:28:50 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
(2-2/2)