Re: Mcafee IDS rule processing

["Joel Esler (jesler)" <jesler () cisco com>]

Unfortunately, we have no idea how the mcafee engine is parsing our rules, and obviously is not parsing them correctly. 
 As the pcre clearly defines that this alert shouldn't have taken place.



--
Joel Esler
iPhone

On Feb 16, 2016, at 10:50 PM, Adrian Good <itsa.aacgood () gmail com<mailto:itsa.aacgood () gmail com>> wrote:

Hi all,

I am attempting to troubleshoot a particular snort rule that has been added to a custom attack set on our Mcafee IDS, 
and I am hoping that someone can point me in the right direction.


The rule is below (sid:31229):
alert tcp any any -> any 
[36,80,81,82,83,84,85,86,87,88,89,90,311,383,555,591,593,631,801,808,818,901,972,1158,1220,1414,1533,1741,1830,1942,2231,2301,2381,2578,2809,2980,3029,3037,3057,3128,3443,3702,4000,4343,4848,5000,5117,5250,5600,6080,6173,6988,7000,7001,7071,7144,7145,7510,7770,7777,7778,7779,8000,8008,8014,8028,8080,8081,8082,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8333,8344,8500,8509,8800,8888,8899,8983,9000,9060,9080,9090,9091,9111,9290,9443,9999,10000,11371,12601,13014,15489,29991,33300,34412,34443,34444,41080,44449,50000,50002,51423,53331,55252,55555,56712]
 (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; 
content:"/modules/"; fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U"; metadata:policy balanced-ips 
drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31229; rev:1;)


The content from the PCAP is the following:
GET 
http://player.ooyala.com/static/modules/start_screen-fc89fba4b9d2b24da65dad518a40ede5c8441d7deeb4bf33d0c2ca747bedb700.swf
 HTTP/1.1
Host: player.ooyala.com<http://player.ooyala.com>
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 
Safari/537.36
X-Requested-With: ShockwaveFlash/18.0.0.209<http://18.0.0.209>
Accept: */*
Referer: http://www.skynews.com.au/news/top-stories/2016/02/04/coalition-mps-seek-turnbull-tax-answers.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-AU,en;q=0.8
Cookie: BCSI-CS-c87fda4ff6f22bb5=2; BCSI-CS-8d18d10a705be693=2; BCSI-CS-3d562a66fecc35f6=2


The kicker is that the IDS is showing a Translation Warning for this rule which states - "Ignored snort option(s): 
fast_pattern".


Looking into the pcre regex I cant seem to get it to match what the full HTTP GET request is (unless my regex 
troubleshooting is flawed), so I am assuming that the pcap is matching the "content" (/modules/) and with fast_pattern 
effectively off, its making a positive match based on the "content" alone and skipping over "pcre".

Would this assumption be correct? or is anyone able to tell me how rule processing would work with "content", "pcre" 
and "no fast_pattern" for this particular rule?

I hope I have been able to put the question clearly, if not please let me know.

Many thanks

-Adrian


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!