Snort mailing list archives

Re: Rules that fire on bad checksums?

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 8 Sep 2004 13:07:34 -0500

This is a diff for something we are doing with snort_inline to log
this stuff.  Actually this is a diff against snort-2.3 ;-).  Won't
apply cleanly so you will have to modify it yourself.  But it should
give you some idea how to get it done.

--- snort-2.3/src/decode.c      2004-09-08 19:47:53.000000000 +0200
+++ snort-2.3.checksums/src/decode.c    2004-09-08 19:39:21.000000000 +0200
@@ -1837,6 +1837,7 @@
     u_int32_t ip_len; /* length from the start of the ip hdr to the pkt end */
     u_int32_t hlen;   /* ip header length */
     u_int16_t csum;   /* checksum */
+    Event event;      /* for checksum alerts */
 
     /* lay the IP struct over the raw data */
     p->iph = (IPHdr *) pkt;
@@ -1982,6 +1983,19 @@
         {
             p->csum_flags |= CSE_IP;
             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n"););
+ 
+            if(InlineMode())
+            {
+
+                SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_IP_CHKSUM,
+                        1, DECODE_CLASS, 3, 0);
+               CallAlertFuncs(p, DECODE_BAD_IP_CHKSUM_STR, NULL, &event);
+
+
+                DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping
packet with Bad IP checksum\n"););
+                InlineDrop();
+            }
+
         }
 #ifdef DEBUG
         else
@@ -2240,6 +2254,7 @@
     u_int32_t hlen;            /* TCP header length */
     u_short csum;              /* checksum */
     struct pseudoheader ph;    /* pseudo header declaration */
+    Event event;               /* event for checksum alerts */
 
     if(len < 20)
     {
@@ -2350,6 +2365,18 @@
             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n",
                                     "0x%x versus 0x%x\n", csum,
                                     ntohs(p->tcph->th_sum)););
+            if(InlineMode())
+            {     
+
+                SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_TCP_CHKSUM,
+                        1, DECODE_CLASS, 3, 0);
+               CallAlertFuncs(p, DECODE_BAD_TCP_CHKSUM_STR, NULL, &event);
+
+
+                DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping
packet with Bad TCP checksum\n"););
+                InlineDrop();
+            }
+
         }
         else
         {
@@ -2417,6 +2444,7 @@
     u_short csum;
     u_int16_t uhlen;
     struct pseudoheader ph;
+    Event event; /* for checksum alerts */
 
     if(len < sizeof(UDPHdr))
     {
@@ -2523,6 +2551,19 @@
         {
             p->csum_flags |= CSE_UDP;
             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n"););
+
+            if(InlineMode())
+            {     
+
+                SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_UDP_CHKSUM,
+                        1, DECODE_CLASS, 3, 0);
+               CallAlertFuncs(p, DECODE_BAD_UDP_CHKSUM_STR, NULL, &event);
+
+
+                DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping
packet with Bad UDP checksum\n"););
+                InlineDrop();
+            }
+
         }
         else
         {
@@ -2561,6 +2602,7 @@
 {
     u_int16_t csum;
     u_int16_t orig_p_caplen;
+    Event event; /* for checksum alerts */
 
     if(len < ICMP_HEADER_LEN)
     {
@@ -2692,6 +2734,19 @@
             p->csum_flags |= CSE_ICMP;
 
             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n"););
+ 
+            if(InlineMode())
+            {     
+
+                SetEvent(&event, GENERATOR_SNORT_DECODE,
DECODE_BAD_ICMP_CHKSUM,
+                        1, DECODE_CLASS, 3, 0);
+               CallAlertFuncs(p, DECODE_BAD_ICMP_CHKSUM_STR, NULL, &event);
+
+
+                DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping
packet with Bad ICMP checksum\n"););
+                InlineDrop();
+            }
+
         }
         else
         {
--- snort-2.3/src/generators.h  2004-09-08 19:47:53.000000000 +0200
+++ snort-2.3.checksums/src/generators.h        2004-09-08 17:05:48.000000000 +0200
@@ -164,6 +164,11 @@
 #define     DECODE_BAD_TR_MR_LEN                  142
 #define     DECODE_BAD_TRHMR                      143
 
+#define     DECODE_BAD_IP_CHKSUM                  150
+#define     DECODE_BAD_TCP_CHKSUM                 151
+#define     DECODE_BAD_UDP_CHKSUM                 152
+#define     DECODE_BAD_ICMP_CHKSUM                153
+
 #define GENERATOR_SPP_SCAN2         117
 #define     SCAN_TYPE                             1
 
@@ -348,6 +353,12 @@
 #define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token
Ring MRLENHeader!"
 #define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring
MR Header!"
 
+#define DECODE_BAD_IP_CHKSUM_STR "(snort_decoder) WARNING: Bad IP Checksum!"
+#define DECODE_BAD_TCP_CHKSUM_STR "(snort_decoder) WARNING: Bad TCP Checksum!"
+#define DECODE_BAD_UDP_CHKSUM_STR "(snort_decoder) WARNING: Bad UDP Checksum!"
+#define DECODE_BAD_ICMP_CHKSUM_STR "(snort_decoder) WARNING: Bad ICMP
Checksum!"
+
+
 
 #define SCAN2_PREFIX_STR "(spp_portscan2) Portscan detected from "
 




On Wed, 08 Sep 2004 13:47:32 -0400, Chris Green <cmg () uab edu> wrote:

Martin Roesch <roesch () sourcefire com> writes:

You'd need to write a detection plugin that checks the status of the
checksum flags in the packet struct.   Something like:


All you need to do is write the badcksum plugin and you'll be all
set. :)


It might be a bit more invasive than that b/c if it checks checksums
at all, it skips the rule engine entirely.

You'll have to add something that makes all the other rules validate
the checksum by default and then have your badchecksum plugin.  Dunno
how much things have changed but I doubt anyone has tackled that stuff
lately :)

The quickest route for doing that would probably be a preprocessor
that alerted on bad checksums.

Cheers,
Chris
--
Chris Green <cmg () dok org>
Warning: time of day goes back, taking countermeasures.




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rules that fire on bad checksums? Glenn Forbes Fleming Larratt (Sep 07)
- Re: Rules that fire on bad checksums? Martin Roesch (Sep 08)
  - Re: Rules that fire on bad checksums? Chris Green (Sep 08)
    - Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)
- <Possible follow-ups>
- Re: Rules that fire on bad checksums? Richard Bejtlich (Sep 08)
  - Re: Re: Rules that fire on bad checksums? Will Metcalf (Sep 08)