0

I'm having trouble reading a rule. Specifically, where is a flowbits GROUP_NAME defined?

I was reviewing my squert screens from securityonion and noticed the following:

3618 ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12

The SID for this is 2017936

The rule is:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:to_server,established; flowbits:isset,ET.gh0stFmly; content:"|78 9c|"; depth:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&;ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:trojan-activity; sid:2017936; rev:4;)

However, I cannot grep any string "ET.gh0stFmly" in /etc or in /nsm other than in the downloaded.rules.

Further reviewing the 'flowbits' idea, I think my problem lies in a fairly basic misunderstanding of what 'flowbits' are.

Are flowbits 'created' on-the-fly for a given rule as it were? Or are they globally predefined somewhere? If so, where?

For example, given rule:

alert tcp any 143 -> any any (msg:"IMAP login"; content:"OK LOGIN"; flowbits:set,logged_in)

is the flowbit 'logged_in' created and then set? Or is the flowbit 'logged_in' predefined and the flowbit snippet is just setting it? If 'logged_in' is predefined, then where is that done?

As a followup on the flowbit GROUP_NAME parameter, assuming that flowbits are dynamically created, then is the GROUP_NAME a way of 'grouping' related flowbits? If so, can the same flowbit name be used in different GROUP_NAMEs?

So, back to my problem with SID: 2017936. In the flowbit snippet "flowbits:isset,ET.gh0stFmly", is the 'ET.gh0stFmly' the flowbit name? Or is it a GROUP_NAME?

I hope this is clear, if not I'll be happy to clarify.

thx

frustration
  • 1
  • 1

1 Answers1

1

Your first assumption is correct. Flowbits are set dynamically by a Snort rule and are not predefined in any additional configuration file. Once set, they track the TCP stream until its conclusion or until they are unset or cleared by another rule in the rule set.

GROUP_NAME parameter is a way of grouping flowbits. Additionally, there are options for the flowbits keyword to take action on all flowbits set in a group. For instance, flowbits: setx, bit1, doc would set bit1 and clear any other flowbit in the doc group. In your rule, flowbits:isset,ET.gh0stFmly, ET is separated from gh0stFmly with a period not a comma, therefore this is simply the name of the flowbit and this flowbit is not set as part of a group and would be set in the default group.

You should have another Snort rule in your rule set that contains something like flowbits: set,ET.gh0stFmly. If you do not have a rule with this information, then the rule listed above's criteria will never be met and you will never get an alert from rule.

Additional information on Flowbits can be found here

leprachuan
  • 11
  • 1