[PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol

[Joshua Kinard <kumba () gentoo org>]

Hi snort-devel,

I decided to play around some more in src/decode.c, and got to thinking,
with all of these additional Decode* functions that don't seem to see a lot
of use, why not provide some baseline support to at least scan some of the
protocols?

End result is I didn't fiddle with too much in decoder.c, but wound up
adding a new rule protocol, "eth", and a new rule option, "ether_type".  The
purpose is to open up Snort to detecting things other than IP-based traffic
by leveraging the existing capabilities of the fast-pattern matcher and
detection engine.

I also corrected a minor bug that I found, fixed up some comments, and
converted a few if-elseif-else blocks to switch statements.  I can pass
along stand-alone patches for those if needed.


EXAMPLES:

Rule with content, IPX over VLAN/EthII
alert eth any any -> any any (msg:"VLAN IPX, FTWOOD then COLORLAB";
ether_type:ipx; content:"FTWOOD"; content:"COLORLAB"; distance:10;
sid:43000006; rev:1; priority:1; classtype:bad-unknown; )

PCAP:
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=vlan.cap.gz

Rule with content, DECnet:
alert eth any any -> any any (msg:"DECNET"; ether_type:decnet;
content:"TYSON"; sid:43000007; rev:1; priority:1; classtype:bad-unknown; )

PCAP: http://packetlife.net/captures/DECnet_Phone.pcap.cap


DOCUMENTATION:

The principle behind these rule types mimics ip any-any and ip_proto-only
rules for the most part, though I added a few hooks to completely avoid the
IP-layer of code if we detect a raw ethernet II frame.  I don't *think* it
impacts performance that much, but I'll be honest, I only have a bunch of
assorted PCAPs to test with.  Aside from a NetWare 6.5 install in a virtual
machine, I don't have much equipment on-hand to generate obscure packets, or
enterprise stuff like FibreChannel over Ethernet.

Treat ether_type like ip_proto in a sense.  There's no src/dst address or
ports for it (theoretically, one could use MAC addresses as src/dst, but
that would require a LOT of code overhauling).  One shouldn't need too many
eth rules in a ruleset, so performance impact should be minimal.

The patch does NOT update the manual for these options.  If someone could
give me a list of the tools/packages needed to build TeX into PDF, that'd be
great.  Making blind updates to it is getting trickier these days.

Quick documentation for ether_type:

ether_type:[op]<type> | <hex_value>;

Where [op] is either '!', '<', or '>'.

Where <hex_value> is a 16-bit, unsigned integer in the format of 0xABCD
(decimal accepted if you want).  Values smaller than 0x600 or larger than
0xffff are not accepted.

OR

Where <type> is one of the following named values:

        xerox   (0x0600) - Xerox NS IDP
        ipv4    (0x0800) - IP version 4
        x75     (0x0801) - X.75 Internet
        nbs     (0x0802) - NBS Internet
        ecma    (0x0803) - ECMA Internet
        chaos   (0x0804) - CHAOSNet
        x25     (0x0805) - X.25 Level 3
        arp     (0x0806) - Address Resolution Protocol
        rarp    (0x0835) - Reverse ARP
        wol     (0x0842) - Wake On LAN
        ax25    (0x08ff) - AX.25 over Ethernet (G8BPQ)
        decnet  (0x6003) - DECnet DNA
        apple   (0x809b) - Appletalk
        aarp    (0x80f3) - Appletalk ARP
        vlan    (0x8100) - VLAN Tagged 802.1q
        netbeui (0x8191) - NetBEUI
        ipx     (0x8137) - Novell IPX/SPX
        snmp    (0x814c) - SNMP over Ethernet
        ipv6    (0x86dd) - IP version 6
        slow    (0x8809) - Slow Protocols
        ppp     (0x880b) - Point-to-Point Protocol
        mpls    (0x8847) - MPLS Unicast
        pppoed  (0x8863) - PPP over Ethernet Discovery
        pppoes  (0x8864) - PPP over Ethernet Session
        eapol   (0x888e) - EAPOL (EAP over LAN), IEEE 802.1x
        aoe     (0x88a2) - ATA over Ethernet
        lldp    (0x88cc) - Logical Link Discovery Protocol
        fcoe    (0x8906) - FibreChannel over Ethernet
        fip     (0x8914) - FCoE Initialization Protocol
        tte     (0x891d) - TTEthernet
        loop    (0x9000) - Loopback



IMPLEMENTATION NOTES:

Standard Ethernet II frames: Works.  Not much explanation needed.  You can
specify "ipv4", "ipv6", or "vlan" if you really want to, but it doesn't make
a whole lot of sense.

VLAN-Tagged frames: Works by falling through to check the VLAN ethertype,
ignoring the Eth_II frame version by virtue of being called via DecodeVlan().

MPLS Frames: SHOULD work IF there is NO PW Control Word section.  There is a
bug in Snort whereby it does NOT handle PWMCW (RFC 4385) frames correctly,
which creates a 4-byte misalignment because the mpls label pointer is not
incremented properly in this case.  Good thing is, the error checks in
DecodeIP() catch and ignore such a frame.  But this probably needs fixing.
I don't know enough about MPLS to properly fix it.

GRE encapsulation: Should work, lightly tested.  It's hard to find
non-encrypted (non-IPSEC) GRE packet captures out there with non-IP layer 3
protocols.

Transbridging Eth II: Should work, but untested.  Per the comments in
src/decode.c, it's largely the same as standard Ethernet II.

Wireless: NOT WORKING.  Wireless runs on top of IEEE 802.3 LLC/SNAP frames,
from what I can tell.  I thought those died with IPX, but it turns out,
802.3/SNAP is the newer frame format.  Ethernet II is the older stuff.  Hah.
 So you won't be able to detect non-IP protocols over Wireless right now.  I
have plans to take the LLC code from both DecodeVlan and the 802.11 decoder,
create DecodeEthLlc() and DecodeEthSnap() to centralize that some, and then
add the bits to scan non-IP protocols (like IPX over 802.3 LLC, 802.2
(SNAP), but not 802.3 Raw).

Token Ring, FDDI, other odd frames: Not supported.  They're not Ethernet II,
mostly deprecated, so no real value gained from attempting to implement
them.  Though, it wouldn't be too hard to do so with this patch in place.


If anyone finds any bugs, please let me know.  The attached patch applies on
top of snort-2.9.2-beta.


Enjoy!

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: snort-2.9.2-ether_type-support.patch
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!