Bug #283
closedInvalid trigger of rule 1:2008100:10 (running Suricata 1.0.3 on FC14)
Description
Rule 2008100 is being triggered when I access a management page on a Splunk server in my LAN:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; content:"/cfg.bin"; nocase; http_uri; fast_pattern; content:"GET"; http_method; nocase; content:"no-cache|0d 0a|"; http_header; nocase; pcre:"/\/cfg\.bin$/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2008100; rev:10;)
Alarm:
04/18/11-19:37:56.330768 [**] [1:2008100:10] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} 192.168.11.160:8000 -> 167.235.7.71:36388 [Xref => http://doc.emergingthreats.net/2008100][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG]
I'm unable to find the string "cfg" (case insensitive) within the TCP conversation that includes the packet matching that timestamp. I masked out a password from the enclosed content... it didn't contain that string either ;-).
Files
Updated by Victor Julien about 13 years ago
- Status changed from New to Assigned
- Assignee set to Peter Manev
- Target version deleted (
1.0.2)
@Peter Pan, can you try to reproduce this issue?
Updated by John Pile about 13 years ago
- File snort.rules.gz snort.rules.gz added
I'm including the ruleset I used, in case one rule was fired but a different rule was reported.
Updated by John Pile about 13 years ago
I reran with 2008100 as the only rule, and it is still triggered when I open the same page.
Updated by Peter Manev about 13 years ago
- File issue283.pcap issue283.pcap added
I generated a pcap from the Wireshark text dump.
Continuing to explore the issue...
Updated by Peter Manev about 13 years ago
I tried to reproduce it, but I could not trigger an alert with the same rule.
@John, could you please try to reproduce it from the pcap(offline) that I generated from your wireshark txt file and upload your yaml.conf (if it is ok).
Thanks
Updated by John Pile about 13 years ago
- File suricata.yaml suricata.yaml added
cd /etc/suricata/rules mv snort.rules snort.rules.bak grep 2008100 snort.rules.bak >snort.rules suricata -c /etc/suricata/suricata.yaml -r /tmp/issue283.pcap
The above did not trigger an alert. However, when I run suricata against eth0, I can consistently reproduce the alarm.
suricata -c /etc/suricata/suricata.yaml -i eth0
I tried recapturing using Wireshark (as root) and reopened the Splunk page, triggering the same rule. I saved that session to a .pcap file using "Wireshark/tcpdump/... - libpcap" format. On replay of that file, no alarm was triggered.
Updated by John Pile about 13 years ago
- File config.log config.log added
I'm including a copy of the config.log in case there's anything of interest in how this was compiled.
Updated by Peter Manev about 13 years ago
Thanks John,
I get no alerts while replaying the pcap file.
I will look into the config and log files and update.
Thanks
Updated by John Pile about 13 years ago
- File trigger.pcap trigger.pcap added
I'm now able to reproduce the alert on a replay with 2008100 as the only rule loaded using the enclosed trigger.pcap. It triggers the alarm twice, as shown below.
04/29/11-15:50:46.072001 [**] [1:2008100:10] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} 192.168.11.31:8000 -> 167.235.7.71:39956 [Xref => http://doc.emergingthreats.net/2008100][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG]
[root@c001-007470 suricata]# cat /etc/suricata/rules/snort.rules
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; content:"/cfg.bin"; nocase; http_uri; fast_pattern; content:"GET"; http_method; nocase; content:"no-cache|0d 0a|"; http_header; nocase; pcre:"/\/cfg\.bin$/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008100; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2008100; rev:10;)
Updated by John Pile about 13 years ago
My cutting and pasting skills are not aging well... Here's the first instance of the rule being triggered as described in the prior message.
04/29/11-15:50:46.071318 [**] [1:2008100:10] ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} 192.168.11.31:8000 -> 167.235.7.71:39956 [Xref => http://doc.emergingthreats.net/2008100][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG]
Updated by Peter Manev about 13 years ago
Did a couple of tests and used the yaml conf file provided - and can confirm that this bug is valid for Suricata 1.0.3 BUT NOT if you compile Suricata from GIT.
If you use Suricata from git the alert is NOT triggered - which is only appropriate I believe.
Updated by Victor Julien almost 12 years ago
- Status changed from Assigned to Closed