Snort Custom Rule not alerting on traffic

erasedhammer · Jun 4, 2023, 10:01 PM

pfSense Plus: 23.05-RELEASE
Snort: 4.1.6_7
Snort interface config:

Block Offenders: Checked
IPS Mode: Legacy
Kill States: Checked
IP to Block: DST
Search Method: AC-BNFA

I have a custom snort rule on one of my interfaces. The rule text is:

alert tcp any any -> any any (msg:"TCP SYN Packet Containing Data Payload Detected";classtype:non-standard-protocol;sid:1999998;gid:1;content:"TCP SYN Packet Containing Data Payload Detected";flags:S;dsize:>0)

I was testing with scapy,

data = 'datadatadatadatadata'
a = IP(src='192.168.2.3',dst='192.168.20.10') / TCP(sport=54382,dport=80,flags="S") / Raw(load=data)
send(a)
.
Sent 1 packets.

But no alert is generated, and when doing a packet capture on both the interface the packet is coming in on and the interface it would go out, I see the packet pass all the way through.

17:43:53.555211 IP 192.168.2.3'.54382 > 192.168.20.10.80: tcp 7

So pfSense is routing this bad packet, but my Snort rule is not catching it.
I have also checked the active rules section in the Snort Interface Rules tab, and my rule shows up as active and at the top of the list.
I have restarted the firewall, restarted the snort interface, reloaded the snort rules, nothing seems to work.

What seems to be the problem here?

bmeeks · Jun 5, 2023, 9:23 PM

Which interface are you running Snort on? Is it the 192.168.2.3 interface? If running Snort on the other interface, then you need to change your rule or else use the <> direction operator to denote traffic flow in either direction.

I don't think your content matching rule is going to work against your test data set. I believe it is going to attempt to match the entire string. Have a look at the old Snort manual chapter for content matching here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION00451000000000000000.

erasedhammer · Jun 5, 2023, 9:23 PM

@bmeeks

Snort is configured to use my LAN interface, and the 192.168.2.3 IP is off of that interface.

According to the Snort Docs, dsize is the packet payload size.
Specifically, it refers to the packet "payload" as TCP or UDP.

Snort rules are best at evaluating a network packet's "payload" (e.g., the TCP or UDP data fields)

So filtering on dsize greater than zero with a Syn flag should match any TCP Syn packet with something in the TCP payload.

bmeeks · Jun 6, 2023, 2:46 AM

@erasedhammer said in Snort Custom Rule not alerting on traffic:

So filtering on dsize greater than zero with a Syn flag should match any TCP Syn packet with something in the TCP payload.

But I believe your "content:" string is going to be checked and found not present, thus no alert.

The way I understand the content keyword is that it will expect to find that particular string in the packet payload, and if the entire string is not present in the payload then it will not alert.

Your rule is looking for the string "TCP SYN Packet Containing Data Payload Detected", but that exact string is not present in your rule. Instead, your test is loading the payload with the string "datadatadatadatadata".

erasedhammer · Jun 6, 2023, 9:48 PM

@bmeeks
Ah, that is right. I might have gotten confused with that field. It does work omitting the content section.
I appreciate your help!