[Snort-devel] [PATCH] "sameport" detection keyword (Land attack)

Michael J. Pomraning mjp-snort at ...806...
Wed Mar 9 22:34:41 EST 2005


The attached adds "sameport" (sp_sameport_check.c) to snort-2.3.1, analogous
to the "sameip" keyword from which it heavily borrows.  Works for TCP and UDP
rules, throwing parse-time error on other protocols.

I figured it might be useful to detect the Land attack redux, particularly in
sickly networks where sid 527 ("BAD-TRAFFIC same SRC/DST") is noisy.  Might
also assist in detecting the odd bot or trojan.

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security
-------------- next part --------------
diff -ruN orig-snort-2.3.1/src/detection-plugins/Makefile.am snort-2.3.1/src/detection-plugins/Makefile.am
--- orig-snort-2.3.1/src/detection-plugins/Makefile.am	2004-06-16 13:49:24.000000000 -0500
+++ snort-2.3.1/src/detection-plugins/Makefile.am	2005-03-09 23:37:36.000000000 -0600
@@ -16,6 +16,7 @@
 sp_tcp_win_check.c sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h            \
 sp_clientserver.c sp_clientserver.h sp_byte_check.c sp_byte_check.h            \
 sp_byte_jump.c sp_byte_jump.h sp_pcre.c sp_pcre.h sp_isdataat.c sp_isdataat.h  \
-sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h
+sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h \
+sp_sameport_check.c sp_sameport_check.h
 
 INCLUDES = @INCLUDES@
diff -ruN orig-snort-2.3.1/src/detection-plugins/Makefile.in snort-2.3.1/src/detection-plugins/Makefile.in
--- orig-snort-2.3.1/src/detection-plugins/Makefile.in	2005-03-08 12:08:15.000000000 -0600
+++ snort-2.3.1/src/detection-plugins/Makefile.in	2005-03-09 23:37:36.000000000 -0600
@@ -97,7 +97,8 @@
 sp_tcp_win_check.c sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h            \
 sp_clientserver.c sp_clientserver.h sp_byte_check.c sp_byte_check.h            \
 sp_byte_jump.c sp_byte_jump.h sp_pcre.c sp_pcre.h sp_isdataat.c sp_isdataat.h  \
-sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h
+sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h \
+sp_sameport_check.c sp_sameport_check.h
 
 subdir = src/detection-plugins
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
@@ -120,7 +121,8 @@
 	sp_tcp_win_check.$(OBJEXT) sp_ttl_check.$(OBJEXT) \
 	sp_clientserver.$(OBJEXT) sp_byte_check.$(OBJEXT) \
 	sp_byte_jump.$(OBJEXT) sp_pcre.$(OBJEXT) sp_isdataat.$(OBJEXT) \
-	sp_flowbits.$(OBJEXT) sp_asn1.$(OBJEXT)
+	sp_flowbits.$(OBJEXT) sp_asn1.$(OBJEXT) \
+	sp_sameport_check.$(OBJEXT)
 libspd_a_OBJECTS = $(am_libspd_a_OBJECTS)
 
 DEFS = @DEFS@
diff -ruN orig-snort-2.3.1/src/detection-plugins/sp_sameport_check.c snort-2.3.1/src/detection-plugins/sp_sameport_check.c
--- orig-snort-2.3.1/src/detection-plugins/sp_sameport_check.c	1969-12-31 18:00:00.000000000 -0600
+++ snort-2.3.1/src/detection-plugins/sp_sameport_check.c	2005-03-09 23:38:00.000000000 -0600
@@ -0,0 +1,185 @@
+/*
+** Copyright (C) 2005 Michael J. Pomraning <mjp at securepipe.com>
+** largely copied from sp_ip_same_check.[ch]
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id$ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#include "rules.h"
+#include "decode.h"
+#include "plugbase.h"
+#include "parser.h"
+#include "debug.h"
+#include "util.h"
+#include "plugin_enum.h"
+
+typedef struct _SamePortData
+{
+    u_char port_same;
+} SamePortData;
+
+void SamePortCheckInit(char *, OptTreeNode *, int);
+void ParseSamePort(char *, OptTreeNode *);
+int SamePortCheck(Packet *, struct _OptTreeNode *, OptFpList *);
+
+/****************************************************************************
+ * 
+ * Function: SetupSamePortCheck()
+ *
+ * Purpose: Associate the "sameport" keyword with SamePortCheckInit
+ *
+ * Arguments: None.
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void SetupSamePortCheck(void)
+{
+    /* map the keyword to an initialization/processing function */
+    RegisterPlugin("sameport", SamePortCheckInit);
+    DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Plugin: SamePortCheck Initialized\n"););
+}
+
+
+/****************************************************************************
+ * 
+ * Function: SamePortCheckInit(char *, OptTreeNode *)
+ *
+ * Purpose: Setup the SamePortData struct and link the function into option
+ *          function pointer list
+ *
+ * Arguments: data => rule arguments/data
+ *            otn => pointer to the current rule option list node
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void SamePortCheckInit(char *data, OptTreeNode *otn, int protocol)
+{
+    /* sanity check */
+    if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
+    {
+        FatalError("Line %s (%d): sameport on non-TCP, non-UDP rule\n", file_name, file_line);
+    }
+
+    /* multiple declaration check */ 
+    if (otn->ds_list[PLUGIN_SAMEPORT_CHECK])
+    {
+        FatalError("%s(%d): Multiple sameport options in rule\n", file_name,
+                file_line);
+    }
+
+    /* allocate the data structure and attach it to the
+       rule's data struct list */
+    otn->ds_list[PLUGIN_SAMEPORT_CHECK] = (SamePortData *)
+            SnortAlloc(sizeof(SamePortData));
+
+    /* this is where the keyword arguments are processed and placed into the 
+       rule option's data structure */
+    ParseSamePort(data, otn);
+
+    /* finally, attach the option's detection function to the rule's 
+       detect function pointer list */
+    AddOptFuncToList(SamePortCheck, otn);
+}
+
+/****************************************************************************
+ * 
+ * Function: ParseSamePort(char *, OptTreeNode *)
+ *
+ * Purpose: Convert the id option argument to data and plug it into the 
+ *          data structure
+ *
+ * Arguments: data => argument data
+ *            otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void ParseSamePort(char *data, OptTreeNode *otn)
+{
+    SamePortData *ds_ptr;  /* data struct pointer */
+
+    return; /* the check below bombs. */
+    /* set the ds pointer to make it easier to reference the option's
+       particular data struct */
+    ds_ptr = otn->ds_list[PLUGIN_SAMEPORT_CHECK];
+
+    /* get rid of any whitespace */
+    while(isspace((int)*data))
+    {
+        data++;
+    }
+    if (*data) {
+        FatalError("%s(%d): arg '%s' not required\n", file_name, file_line, data);
+    }
+}
+
+
+/****************************************************************************
+ * 
+ * Function: SamePortCheck(char *, OptTreeNode *)
+ *
+ * Purpose: Test the tcp or udp header to see if src. and dst. port are
+ *          equal
+ *
+ * Arguments: data => argument data
+ *            otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+int SamePortCheck(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+    int sameport = 0;
+
+    if(!p->iph) return 0;
+
+    if (p->tcph)
+    {
+	sameport = p->tcph->th_sport == p->tcph->th_dport;
+	DEBUG_WRAP(
+	    DebugMessage(DEBUG_PLUGIN,"Same TCP ports? %s (%x -> %x)\n",
+			 sameport ? "Yes" : "No",
+			 p->tcph->th_sport, p->tcph->th_dport);
+	) /* DEBUG_WRAP */
+    } else if (p->udph) {
+	sameport = p->udph->uh_sport == p->udph->uh_dport;
+	DEBUG_WRAP(
+	    DebugMessage(DEBUG_PLUGIN,"Same UDP ports? %s (%x -> %x)\n",
+			 sameport ? "Yes" : "No",
+			 p->udph->uh_sport, p->udph->uh_dport);
+	) /* DEBUG_WRAP */
+    }
+
+    if (sameport)
+    {
+        /* call the next function in the function list recursively */
+        return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+    }
+
+    /* if the test isn't successful, return 0 */
+    return 0;
+}
diff -ruN orig-snort-2.3.1/src/detection-plugins/sp_sameport_check.h snort-2.3.1/src/detection-plugins/sp_sameport_check.h
--- orig-snort-2.3.1/src/detection-plugins/sp_sameport_check.h	1969-12-31 18:00:00.000000000 -0600
+++ snort-2.3.1/src/detection-plugins/sp_sameport_check.h	2005-03-09 23:37:36.000000000 -0600
@@ -0,0 +1,26 @@
+/*
+** Copyright (C) 2005 Michael J. Pomraning <mjp at securepipe.com>
+** largely copied from sp_ip_same_check.[ch]
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id$ */
+#ifndef __SP_SAMEPORT_CHECK_H__
+#define __SP_SAMEPORT_CHECK_H__
+
+void SetupIpSameCheck(void);
+
+#endif  /* __SP_SAMEPORT_CHECK_H__ */
diff -ruN orig-snort-2.3.1/src/plugbase.c snort-2.3.1/src/plugbase.c
--- orig-snort-2.3.1/src/plugbase.c	2005-01-13 14:36:20.000000000 -0600
+++ snort-2.3.1/src/plugbase.c	2005-03-09 23:37:36.000000000 -0600
@@ -90,6 +90,7 @@
 #include "detection-plugins/sp_pcre.h"
 #include "detection-plugins/sp_flowbits.h"
 #include "detection-plugins/sp_asn1.h"
+#include "detection-plugins/sp_sameport_check.h"
 #ifdef ENABLE_RESPONSE
 #include "detection-plugins/sp_react.h"
 #include "detection-plugins/sp_respond.h"
@@ -156,6 +157,7 @@
     SetupPcre();
     SetupFlowBits();
     SetupAsn1();
+    SetupSamePortCheck();
 #ifdef ENABLE_RESPONSE
     SetupReact();
     SetupRespond();
diff -ruN orig-snort-2.3.1/src/plugin_enum.h snort-2.3.1/src/plugin_enum.h
--- orig-snort-2.3.1/src/plugin_enum.h	2003-10-20 10:03:22.000000000 -0500
+++ snort-2.3.1/src/plugin_enum.h	2005-03-09 23:37:36.000000000 -0600
@@ -34,4 +34,5 @@
     PLUGIN_TTL_CHECK,
     PLUGIN_BYTE_TEST,
     PLUGIN_PCRE,
+    PLUGIN_SAMEPORT_CHECK,
 };


More information about the Snort-devel mailing list