Bug #1045
closedSuricata smtp flowbits FN
Description
Hi,
During my testing, I'm found a FN when smtp and flowbits are used.
Created a PoC especially for this:
1) joigned pcap file (not change, no fuzzing).
2) created three sigs:
alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established; content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user; sid:1; rev:1;)
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found;
classtype:attempted-admin; sid:2; rev:1;)
alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established; flowbits:isset,smtp.data.found; content:"Subject|3A| test email"; classtype:attempted-admin; sid:3; rev:1;)
3) [FN] start suricata and look fast.log:
11/26/2013-16:30:20.277177 [**] [1:1:1] SMTP EHLO [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177 [**] [1:2:1] SMTP DATA [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
4) swaped two last flowbits but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:set,smtp.data.found; flowbits:unset,smtp.helo.found;
classtype:attempted-admin; sid:2; rev:1;)
5) changed unset to set but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:set,smtp.helo.found; flowbits:set,smtp.data.found;
classtype:attempted-admin; sid:2; rev:1;)
6) rename flowbits name but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.xxxxx.found; flowbits:set,smtp.data.found;
classtype:attempted-admin; sid:2; rev:1;)
7) ok only remove flowbits:unset,smtp.helo.found; on sid 2 and suricata fire differently:
11/26/2013-16:30:20.277177 [**] [1:1:1] SMTP EHLO [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177 [**] [1:2:1] SMTP DATA [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177 [**] [1:3:1] SMTP Subject [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
Why Suricata not fire on point 3+4+5+6 please ?
Tested on Suricata recent git and v1.4.6.
Snort fire.
Regards
@rmkml rmkml
Files
Updated by Victor Julien almost 11 years ago
This appears to be the same issue as #1061.
In the current master it works correctly. @rmkml rmkml, can you confirm?
Updated by Andreas Herz over 8 years ago
- Status changed from New to Closed
2 years and since confirmed fixed by Victor i guess we can close that.