Bug #2216
closedRule firing where it shouldn`t
Description
Hello Gentlemen,
I have a wonderful sig to Emotet that unfortunately is hitting where it shouldn`t.
alert http $EXTERNAL_NET [443,7080,8080,80] -> $HOME_NET any (msg:"ETPRO TROJAN W32/Emotet.v4 Checkin Fake 404 Payload Response"; flow:established,from_server; content:"404"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; pcre:"/Content-Length\x3a\x20\d{6}/Hmi"; file_data; content:!"<html"; nocase; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; metadata: former_category TROJAN; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:trojan-activity; sid:2828007; rev:2; metadata:created_at 2017_09_19, malware_family Emotet, updated_at 2017_09_19;)
Files
Updated by Andreas Herz over 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
- Private changed from No to Yes
Updated by Victor Julien over 7 years ago
- Description updated (diff)
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
- Target version changed from TBD to 70
Updated by Francis Trudeau over 7 years ago
Here is a simplified rule that hits on 2028007-2, but shouldn't as well:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET Match Test"; content:"404"; http_stat_code; file_data; content:!"<html"; classtype:trojan-activity; sid:30301; rev:1;)
Looking at that pcap in Wireshark, it looks malformed. Wireshark doesn't recognize the 200 stat code in that stream. Display filter "http.response.code == 200" comes back blank. Not sure if that's related, but it's strange.
Updated by Pedro Marinho over 7 years ago
There is nothing to do with Wireshark. My Wireshark does recognize the 200 stat code. I am running Wireshark 2.4.1 (v2.4.1-0-gf42a0d2)
Updated by Pedro Marinho over 7 years ago
- File wireeshark.jpg wireeshark.jpg added
Updated by Victor Julien about 7 years ago
- Status changed from Assigned to Rejected
- Target version deleted (
70)
This is behaving as expected.
What happens is that the file_data buffer is large, larger than the initial inspection limit:
response-body-minimal-inspect-size: 40kb response-body-inspect-window: 16kb
This means that after the initial 40k, the body is inspected in 16k chunks. In one of the chunks there is no occurence of the '<html' pattern, so it matches.
This can be shown by increasing the "response-body-minimal-inspect-size" setting to 100k. This makes the issue go away.
If you enable EVE's "http-body-printable" you will see that the matching data is indeed not the start of the body:
types: - alert: ... http-body-printable: yes
cat eve.json | jq -c 'select(.alert)|.http.http_response_body_printable'|head -c 64 -custom"> <a href="http://www.automo
The easiest way to deal with this is to use a depth. The depth is enforced against the entire body, so not per chunk. So a depth of 1024, can only possibly match against the first 1024 bytes of the initial chunk.
Updated by Pedro Marinho about 7 years ago
Thanks Victor !
I confirm it does work as expected after adding a depth:1024 content modifier at the negated content to <html
alert http $EXTERNAL_NET [443,7080,8080,80] > $HOME_NET any (msg:"ETPRO TROJAN W32/Emotet.v4 Checkin Fake 404 Payload Response"; flow:established,from_server; content:"404"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; pcre:"/Content-Length\x3a\x20\d{6}/Hmi"; file_data; content:!"<html"; nocase; depth:1024; pcre:"/^[\x20\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; metadata: former_category TROJAN; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:trojan-activity; sid:2828007; rev:2; metadata:created_at 2017_09_19, malware_family Emotet, updated_at 2017_09_19;)
pedro@millenium-falcon:~/suricataScada/oisf$ sudo bin/suricata c suricata.yaml -r /media/sf_SharedVM/2828007-1.pcap 13:46:02 - (suricata.c:1005) <Notice> (SCPrintVersion) -- This is Suricata version 3.2dev (rev f9f5e8a)
[2552] 9/10/2017 -
[2552] 9/10/2017 -- 13:46:02 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 2 packet processing threads, 4 management threads initialized, engine started.
[2552] 9/10/2017 -- 13:46:02 - (suricata.c:2621) <Notice> (main) -- Signal Received. Stopping engine.
[2553] 9/10/2017 -- 13:46:03 - (source-pcap-file.c:388) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 828 packets, 611444 bytes
pedro@millenium-falcon:~/suricataScada/oisf$ tail var/log/suricata/fast.log
pedro@millenium-falcon:~/suricataScada/oisf$