[Snort-devel] Re: New RPC Fix Causes many false alarms

Phil Wood cpw at ...117...
Sat Mar 8 16:55:06 EST 2003


-rty, Chris, and Company,

Well, I could not jumpstart on a pr0gramming project this Saturday, so instead
I cobbled up a patch to spp_rpc_decode.c so one can configure source ports to
ignore.

To ignore tcp rpc packets with a source ports of 80 and 443:

  preprocessor rpc_decode: 111 32771 80! 443!

To ignore tcp rpc packets with source ports less than 1024:
 
  preprocessor rpc_decode: 111 1024< 32771

I hope the attachment works for you.  I've been running Version 2.0.0beta
(Build 57) for the last 2140 seconds at 1888.04 pps.  Nothing much happens
on Saturday.  But, running with the default rules sets, I have seen 24696
alerts out of 4637071 packets processed.
 
  9967 [1:1881:4] WEB-MISC bad HTTP/1.1 request, Potentially worm attack
  4777 [1:1419:2] SNMP trap udp
  2372 [1:485:2] ICMP Destination Unreachable (Communication             Administratively Prohibited)
  2002 [1:1002:5] WEB-IIS cmd.exe access
  1241 [1:1411:3] SNMP public access udp
   883 [1:1945:1] WEB-IIS unicode directory traversal attempt
   859 [1:499:3] ICMP Large ICMP Packet
   789 [1:1917:3] SCAN UPNP service discover attempt
   577 [1:982:6] WEB-IIS unicode directory traversal attempt
   288 [1:981:6] WEB-IIS unicode directory traversal attempt
   276 [1:983:6] WEB-IIS unicode directory traversal attempt
   275 [1:466:1] ICMP L3retriever Ping
   236 [1:480:2] ICMP PING speedera
   112 [1:483:2] ICMP PING CyberKit 2.2 Windows
    23 [1:628:1] SCAN nmap TCP
    10 [1:1923:2] RPC portmap UDP proxy attempt
     6 [1:1042:6] WEB-IIS view source via translate header
     3 [1:469:1] ICMP PING NMAP

  I guess it's time to optimize my rule set.

Later,

- 
Phil Wood, cpw at ...86...

-------------- next part --------------
--- spp_rpc_decode.c.orig	Sat Mar  8 21:41:33 2003
+++ spp_rpc_decode.c	Sat Mar  8 23:28:55 2003
@@ -91,6 +91,7 @@
 
 static RpcDecodeData rpcpreprocdata; /* Configuration Set */
 static char RpcDecodePorts[65536/8];
+static char RpcIgnorePorts[65536/8];
 
 void RpcDecodeInit(u_char *);
 void RpcDecodeInitIgnore(u_char *);
@@ -163,6 +164,7 @@
 void SetRpcPorts(char *portlist)
 {
     char portstr[STD_BUF];
+    char ignorstr[STD_BUF];
     char **toks;
     int is_reset = 0;
     int num_toks;
@@ -185,7 +187,16 @@
         {
             char *num_p = NULL; /* used to determine last position in string */
             long t_num;
+	    int  lastdigit;
+	    char tweek[4] = {0};
 
+	    lastdigit = *(toks[num] + strlen (toks[num]) - 1);
+
+	    if(!isdigit(lastdigit))
+	    {
+	      *(toks[num] + strlen (toks[num]) - 1) = '\0';
+	      (void)sprintf(tweek, "%c", lastdigit);
+	    }
             t_num = strtol(toks[num], &num_p, 10);
 
             if(*num_p != '\0')
@@ -204,15 +215,50 @@
             if(!is_reset)
             {
                 bzero(&RpcDecodePorts, sizeof(RpcDecodePorts));
+                bzero(&RpcIgnorePorts, sizeof(RpcDecodePorts));
                 portstr[0] = '\0';
+		ignorstr[0] = '\0';
                 is_reset = 1;
             }
 
             /* mark this port as being interesting using some portscan2-type voodoo,
                and also add it to the port list string while we're at it so we can
                later print out all the ports with a single LogMessage() */
+	    if(!isdigit(lastdigit))
+	    {
+		switch (lastdigit)
+		{
+		case '!':
+	    	  RpcIgnorePorts[(t_num/8)] |= 1<<(t_num%8);
+		  break;
+		case '>': /* ignore all source ports greater than t_num */
+		  t_num++;
+		  while (t_num < 65536)
+		  {
+	    	    RpcIgnorePorts[(t_num/8)] |= 1<<(t_num%8);
+		    t_num ++;
+		  }
+		  break;
+		case '<': /* ignore all source ports less than t_num */
+		  while (t_num > 0)
+		  {
+			  t_num--;
+			  RpcIgnorePorts[(t_num/8)] |= 1<<(t_num%8);
+		  }
+		  break;
+		default:  /* give an error */
+		  FatalError("ERROR %s(%d) => Tweek not valid: %s\n",
+		                    file_name, file_line, tweek);
+		  break;
+		}
+	    	strlcat(ignorstr, toks[num], STD_BUF -1);
+	    	strlcat(ignorstr, tweek, STD_BUF -1);
+	    }
+	    else
+	    {
             RpcDecodePorts[(t_num/8)] |= 1<<(t_num%8);
             strlcat(portstr, toks[num], STD_BUF - 1);
+	    }
             strlcat(portstr, " ", STD_BUF - 1);
         }
         else if(!strcasecmp(OPT_ALERT_MULTIPLE_REQUESTS,toks[num]))
@@ -241,6 +287,7 @@
 
     /* print out final port list */
     LogMessage("    Ports to decode RPC on: %s\n", portstr);
+    LogMessage("    Source ports to ignore: %s\n", ignorstr);
     LogMessage("    %s: %s\n", OPT_ALERT_FRAGMENTS, rpcpreprocdata.alert_fragments ? "ACTIVE": "INACTIVE");
     LogMessage("    %s: %s\n", TEXT_ALERT_LARGE_FRAGMENTS, rpcpreprocdata.alert_large ? "ACTIVE": "INACTIVE");
     LogMessage("    %s: %s\n", TEXT_ALERT_INCOMPLETE, rpcpreprocdata.alert_incomplete ? "ACTIVE": "INACTIVE");
@@ -271,6 +318,12 @@
     if(!PacketIsTCP(p))
     {
         DEBUG_WRAP(DebugMessage(DEBUG_RPC,"It isn't TCP session traffic\n"););
+        return;
+    }
+
+    /* check the ignore source ports list */
+    if((RpcIgnorePorts[(p->sp/8)] & (1<<(p->sp%8))))
+    {
         return;
     }
 


More information about the Snort-devel mailing list