Snort mailing list archives
Re: More fun with IP Option lrsse
From: Todd Wease <twease () sourcefire com>
Date: Mon, 09 Jul 2007 12:25:50 -0400
Jeffrey Denton wrote:
Snort_test.conf: var HOME_NET any var EXTERNAL_NET any dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: disable_evasion_alerts preprocessor stream4_reassemble output alert_syslog: LOG_AUTH LOG_ALERT include /etc/snort/classification.config include /etc/snort/reference.config # Rules from misc.rules file alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lsrr"; ipopt s:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0510; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulle tin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:7;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lsrre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; clas stype:bad-unknown; sid:501; rev:7;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:cve,1999-0510; classtype:bad-unknown; sid:502; rev:4;) The tool sendip needs a hostname. /etc/hosts: 192.168.1.2 storage # snort -c /etc/snort/snort_test.conf -i eth0 Sid:500 and sid:501 triggered when the following command is run: # sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -iolsr 04:192.168.1.1 -ioeol -p tcp -ts 1025 -td 21 storage Sid:502 triggered when the following command is run: # sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -iossr 04:192.168.1.1 -ioeol -p tcp -ts 1025 -td 21 storage I was unable to get sid:501 to trigger with the following command: # sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -ionum 84 -ionop -ioeol -p tcp -ts 1025 -td 21 storage http://www.cochiselinux.org/files/lsrr.pcap This file contains four packets with the IP option for lsrr. Sid:500 and sid:501 are triggered when the following command is run: # snort -c snort_test.conf -r lsrr.pcap http://www.cochiselinux.org/files/lsrre.pcap I used netdude to change the IP option value from 131 (0x83) to 132 (0x84). I was unable to get sid:501 to trigger with the following command: # snort -c snort_test.conf -r lsrre.pcap
Thanks for pointing this out Jeffrey. The problem is in the parsing code in detection-plugins/sp_ipoption_check.c line 163: else if(!strncasecmp(data, "lsrr", 4)) { ds_ptr->ip_option = IPOPT_LSRR; return; } else if(!strncasecmp(data, "lsrre", 5)) { ds_ptr->ip_option = IPOPT_LSRR_E; return; } 'lsrre' was matching at the first condition. Not sure yet what release the fix will go in, but in the meantime the attached patch can be used. Thanks Todd
Index: src/detection-plugins/sp_ipoption_check.c =================================================================== RCS file: /usr/cvsroot-snort/snort/src/detection-plugins/sp_ipoption_check.c,v retrieving revision 1.16 diff -p -u -r1.16 sp_ipoption_check.c --- src/detection-plugins/sp_ipoption_check.c 20 Oct 2003 15:03:30 -0000 1.16 +++ src/detection-plugins/sp_ipoption_check.c 9 Jul 2007 16:22:36 -0000 @@ -160,14 +160,14 @@ void ParseIpOptionData(char *data, OptTr ds_ptr->ip_option = IPOPT_SECURITY; return; } - else if(!strncasecmp(data, "lsrr", 4)) + else if(!strncasecmp(data, "lsrre", 5)) { - ds_ptr->ip_option = IPOPT_LSRR; + ds_ptr->ip_option = IPOPT_LSRR_E; return; } - else if(!strncasecmp(data, "lsrre", 5)) + else if(!strncasecmp(data, "lsrr", 4)) { - ds_ptr->ip_option = IPOPT_LSRR_E; + ds_ptr->ip_option = IPOPT_LSRR; return; } else if(!strncasecmp(data, "satid", 5))
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More fun with IP Option lrsse Jeffrey Denton (Jul 08)
- Re: More fun with IP Option lrsse Todd Wease (Jul 09)