Project

General

Profile

Actions

Bug #1045

closed

Suricata smtp flowbits FN

Added by rmkml rmkml about 11 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

During my testing, I'm found a FN when smtp and flowbits are used.

Created a PoC especially for this:

1) joigned pcap file (not change, no fuzzing).

2) created three sigs:

alert tcp any any -> any 25 (msg:"SMTP EHLO"; flow:to_server,established; content:"EHLO "; flowbits:set,smtp.helo.found; classtype:attempted-user; sid:1; rev:1;)

alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.helo.found; flowbits:set,smtp.data.found;
classtype:attempted-admin; sid:2; rev:1;)

alert tcp any any -> any 25 (msg:"SMTP Subject"; flow:to_server,established; flowbits:isset,smtp.data.found; content:"Subject|3A| test email"; classtype:attempted-admin; sid:3; rev:1;)

3) [FN] start suricata and look fast.log:
11/26/2013-16:30:20.277177 [**] [1:1:1] SMTP EHLO [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177 [**] [1:2:1] SMTP DATA [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25

4) swaped two last flowbits but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:set,smtp.data.found; flowbits:unset,smtp.helo.found;
classtype:attempted-admin; sid:2; rev:1;)

5) changed unset to set but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:set,smtp.helo.found; flowbits:set,smtp.data.found;
classtype:attempted-admin; sid:2; rev:1;)

6) rename flowbits name but same FN:
alert tcp any any -> any 25 (msg:"SMTP DATA"; flow:to_server,established; flowbits:isset,smtp.helo.found; content:"DATA"; flowbits:unset,smtp.xxxxx.found; flowbits:set,smtp.data.found;
classtype:attempted-admin; sid:2; rev:1;)

7) ok only remove flowbits:unset,smtp.helo.found; on sid 2 and suricata fire differently:
11/26/2013-16:30:20.277177 [**] [1:1:1] SMTP EHLO [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177 [**] [1:2:1] SMTP DATA [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25
11/26/2013-16:30:20.277177 [**] [1:3:1] SMTP Subject [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 88.191.140.111:51906 -> 188.125.69.79:25

Why Suricata not fire on point 3+4+5+6 please ?

Tested on Suricata recent git and v1.4.6.
Snort fire.

Regards
@rmkml rmkml


Files

smtpsuricataflowbitsFN.pcap (2.42 KB) smtpsuricataflowbitsFN.pcap rmkml rmkml, 11/27/2013 03:14 AM
Actions #1

Updated by Victor Julien almost 11 years ago

This appears to be the same issue as #1061.

In the current master it works correctly. @rmkml rmkml, can you confirm?

Actions #2

Updated by Andreas Herz almost 9 years ago

  • Status changed from New to Closed

2 years and since confirmed fixed by Victor i guess we can close that.

Actions

Also available in: Atom PDF