Bug #788
closedfile_data relative positive and negative match at same offset problem
Description
Hello Gentlemen,
I've built this signature last week. It is generating an alert where it shouldn't False Positive. Maybe it is a problem with suricata file_data because
#original signature that False Positives
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; content:"CU"; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )
#pcap attached shouldnotring.pcap
GET /jkzs.jpg HTTP/1.1
User-Agent: a5fb3a521043db2898c01f02c32f94f3.exe
Connection: Keep-Alive
Cache-Control: no-cache
Host: rh.adstim.com
HTTP/1.1 200 OK
Date: Fri, 05 Oct 2012 18:44:04 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 04 Oct 2012 08:19:03 GMT
ETag: "d01ced-4ac00-68754bc0"
Accept-Ranges: bytes
Content-Length: 306176
Connection: close
Content-Type: image/jpeg
~i3333333333cv33.243333333333333.3..82333.433{233333o.:33#33
#other attempts
#this way it does False Positive
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; file_data; content:"CU"; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )
#this way it does False Negative
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; content:"|0D 0A 0D 0A|CU"; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )
#This way it don't False Positive or False Negative it works as expected.
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; content:!"|0D 0A 0D 0A FF D8 FF|"; content:"|0D 0A 0D 0A|CU"; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )
#this way it does False Positive
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; content:!"|FF D8 FF|"; file_data; within:3; content:"CU"; file_data; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )
Files
Updated by Pedro Marinho about 11 years ago
- File shouldring.pcap added
the pcap where it should ring
Updated by Anoop Saldanha about 11 years ago
- Assignee set to Anoop Saldanha
- Target version set to 1.4.2
Unable to reproduce this.
Updated by Pedro Marinho about 11 years ago
- File suricata.yaml suricata.yaml added
this sig should not ring here because there is not a "CU" depth:2; at file_data
alert http any any -> any any (msg:"ETPRO TROJAN TeamSpy Campaign module download"; flow:established,from_server; content:"Content-Type|3a| image/jpeg"; http_header; file_data; content:!"|FF D8 FF|"; within:3; content:"CU"; within:2; reference:url,crysys.hu/teamspy/teamspy.pdf; classtype:trojan-activity; sid:2806152; rev:3; )
15:44:00.661349 IP 80.79.116.59.http > 10.0.2.15.boinc-client: Flags [P.], seq 1:1449, ack 147, win 8760, lengt
h 1448
0x0000: 4508 05d0 000c 0000 4006 a47b 504f 743b E.......@..{POt;
0x0010: 0a00 020f 0050 0413 021f f202 be71 caac .....P.......q..
0x0020: 5018 2238 d337 0000 4854 5450 2f31 2e31 P."8.7..HTTP/1.1
0x0030: 2032 3030 204f 4b0d 0a44 6174 653a 2046 .200.OK..Date:.F
0x0040: 7269 2c20 3035 204f 6374 2032 3031 3220 ri,.05.Oct.2012.
0x0050: 3138 3a34 343a 3034 2047 4d54 0d0a 5365 18:44:04.GMT..Se
0x0060: 7276 6572 3a20 4170 6163 6865 2f32 2e32 rver:.Apache/2.2
0x0070: 2e33 2028 4365 6e74 4f53 290d 0a4c 6173 .3.(CentOS)..Las
0x0080: 742d 4d6f 6469 6669 6564 3a20 5468 752c t-Modified:.Thu,
0x0090: 2030 3420 4f63 7420 3230 3132 2030 383a .04.Oct.2012.08:
0x00a0: 3139 3a30 3320 474d 540d 0a45 5461 673a 19:03.GMT..ETag:
0x00b0: 2022 6430 3163 6564 2d34 6163 3030 2d36 ."d01ced-4ac00-6
0x00c0: 3837 3534 6263 3022 0d0a 4163 6365 7074 8754bc0"..Accept
0x00d0: 2d52 616e 6765 733a 2062 7974 6573 0d0a -Ranges:.bytes..
0x00e0: 436f 6e74 656e 742d 4c65 6e67 7468 3a20 Content-Length:.
0x00f0: 3330 3631 3736 0d0a 436f 6e6e 6563 7469 306176..Connecti
0x0100: 6f6e 3a20 636c 6f73 650d 0a43 6f6e 7465 on:.close..Conte
0x0110: 6e74 2d54 7970 653a 2069 6d61 6765 2f6a nt-Type:.image/j
0x0120: 7065 670d 0a0d 0a7e 6933 3333 3333 3333 peg....~i3333333
0x0130: 3333 3363 7633 337f 3234 3333 3333 3333 333cv33.24333333
0x0140: 3333 3333 3333 33d3 33bc b238 3233 3333 3333333.3..82333
0x0150: e934 3333 7b32 3333 3333 336f a33a 3333 .433{233333o.:33
0x0160: 2333 333f 3333 3333 3373 3333 2333 3333 #33?33333s33#333
my suricata.yaml file is attached. This is Suricata version 2.0dev (rev ce99a07)
Updated by Victor Julien about 11 years ago
Confirmed, thanks Pedro.
@Anoop, could reproduce the issue with Pedro's yaml.
The problem is indeed that a later chunk is inspected with "depth" as if it's the start of the buffer. We should probably set a flag or count the offset or something when considering depth.
Updated by Anoop Saldanha almost 11 years ago
Updated by Victor Julien almost 11 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Merged https://github.com/inliniac/suricata/pull/379 into the 1.4 branch.
Opened #817 for the master branch.