Possible SNORT bug, not detecting rule



  • Hello forum,

    I have been searching for a solution for a weird Snort behaviour, but haven't been able to find a solution - this may be a bug in the snort implementation.
    Could someone assist me in this matter? - NB: real malicious domain has been change to "evilpage.tld"

    Snort info: Snort 2.9.7.6 pkg v3.2.9.1
    Rule that fires an alarm (correctly):
    alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - POLICY - malicious web page access - LAN"; content:"GET"; nocase; http_method; content:"evilpage.tld"; nocase; http_header; classtype:policy-violation; sid:56001810; rev:1;)

    Rule that does not fires an alarm at all
    alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - POLICY - malicious web page access"; flow:to_server,established; detection_filter:track by_dst, count 14, seconds 15; content:"GET"; nocase; http_method; content:"evilpage.tld"; nocase; http_header; classtype:policy-violation; metadata:NF,25042015; sid:56001810; rev:1;)

    Would anyone in the forum be able to assist me, so both rules fire a alarm in Snort,  I have a gut feeling that the "flow:established" keyword are the differentiator,
    but i would expect that the PFsense Snort would be able to understand this?

    many thanks in advance.


  • Moderator

    You could also add a DNS sinkhole in the Resolver… or the Fowarder...

    Example Resolver redirect rule:

    local-zone: "evilpage.tld" redirect
    local-data: "evilpage.tld A 127.0.0.1"



  • Hello BBcan117,

    Many thanks for taking the time to reply,

    Yes I know that the resolver can be used, but I am wondering why the "flow:established" keyword are working in a "normal" snort installation but not in the PFsense implementation.

    Would you know that ?

    Many thanks for all assistance,



  • @vingaard:

    Would anyone in the forum be able to assist me, so both rules fire a alarm in Snort,  I have a gut feeling that the "flow:established" keyword are the differentiator,
    but i would expect that the PFsense Snort would be able to understand this?

    many thanks in advance.

    Well in that case, why dont you remove the threshold and diagnose only the flow…your second rule should be

    alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - POLICY - malicious web page access"; flow:to_server,established; content:"GET"; nocase; http_method; content:"evilpage.tld"; nocase; http_header; classtype:policy-violation; metadata:NF,25042015; sid:56001811; rev:1;)
    

    F.


Log in to reply