[Snort-devel] spp_sicmple

Andreas Östling andreaso at ...387...
Sun Jun 23 12:19:03 EDT 2002


Hello,

Disclaimer:
This program should probably not be taken too seriously.
It's not really finished and it was mostly written to try to learn how to
write a Snort preprocessor, and also to learn some more C. It's not ready
for production use yet (and perhaps never will be?). Use at your own risk
and beware of fatal brain damage, blah blah blah, yada yada yada.
Feedback is much appreciated anyway.

spp_sicmple is a very simple Snort preprocessor that keeps state on some
ICMP query/response type packets. This means that Snort will generate an
alert when it sees a reply packet without first seeing its request.
At the moment, echo request/echo reply are the only types fully (or
almost fully) supported. spp_sicmple can be used to detect
misconfigured routers/hosts and some covert channels (e.g. the most common
versions of Stacheldraht) etc etc.

It only works with Snort 1.8.7beta and later and has only been tested on
OpenBSD/i386. See the README for more info. The really brave can download
a snapshot from ftp://ftp.su.se/pub/users/andreas/spp_sicmple/

It seems like I've duplicated a lot of the work already done in
spp_conversation, which I did not even know existed until about 15 minutes
ago, oh well... :P


Example output when running on a pcap containing Stacheldraht
communication (grabbed from a recent intrusion):

$ ./snort -A fast -d -l log -c snort.conf -r /tmp/junk.bin
Log directory = log
TCPDUMP file reading mode.
Reading network traffic from "/tmp/junk.bin" file.
snaplen = 1500

        --== Initializing Snort ==--
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
sicmple v0.0.7 (SNAPSHOT) starting with config:
    State timeout: 20 seconds
    Max number of states: 1000
0 Snort rules read...
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

Rule application order: ->activation->dynamic->alert->pass->log

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8.7beta6 (Build 121)
By Martin Roesch (roesch at ...402..., www.snort.org)

Sicmple Stats:
total number of icmp packets received:               995
number of partly broken icmp packets:                0          (0.000%)
number of supported requests processed:              51
number of supported replies processed:               175
number of replies that matched a state:              24         (13.714%)
number of replies that didn't match a state:         151        (86.286%)
number of times everything but the payload matched:  0          (0.000%)
number of icmp packets of non-query/request type:    769        (77.286%)
the highest number of states we had:                 15
number of times state table was full:                0

===============================================================================

Snort processed 314236 packets.
Breakdown by protocol:                Action Stats:

    TCP: 190898     (60.750%)         ALERTS: 151
    UDP: 121845     (38.775%)         LOGGED: 151
   ICMP: 995        (0.317%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 498        (0.158%)
===============================================================================


$ head log/192.168.1.1/ICMP_ECHO_REPLY

[**] spp_sicmple: Unauthorized reply of type 0 (request not found) [**]
04/13-13:23:41.057324 192.168.1.1 -> 10.0.0.1
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:1044 DF
Type:0  Code:0  ID:6666  Seq:0  ECHO REPLY
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 73 6B 69 6C 6C 7A 00 00 00 00 00 00  ....skillz......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


Cheers,

Andreas Östling






More information about the Snort-devel mailing list