[Snort-sigs] I need a rule for synk4.c attack

Ali BASEL alib at ...505...
Fri Apr 12 04:47:09 EDT 2002


Hi,

Robert Wagner wrote:

 > Try creating a basic snort signature like  alert tcp any any -> any 80


I think, you couldn't have possibility to try the program.


 > alert tcp any any -> $HOME_NET 80 (msg:"synk4.c attack"; content: 
"|50 82 ff
 > ff fb 3a 00 00|"; tag: session, 300, packets;)


I have tried your rule (I have shortened the content: "|00 50 82 ff 
ff|"; because the remaining is changing also),

unfornately it can't recognize the attack !

 > I believe most of what you are showing below is the TCP header.  0a0f 
001b
 > translates to 10.15.0.27  There are some port and checksum information
 > following.  I am assuming this is a TCP packet.


Yes, of course.

Meanwhile, when the synk4 program atacks, snort can detect for example
"TELNET login incorrect" signature to the same destination.

I wonder, does snort require a reply packet, in order to check the
content of the first packet ? if not, why it can not recognize these
easy packets ?

And another question: tbe content in a rule, can be the headers of the
packet, or the content must be in the data portion of the packet ?
(Is there any documentation which explain how snort processes packet
recognition ?)

Thanks.
Ali.


 >
 > -----Original Message-----
 > From: Ali BASEL [mailto:alib at ...505...]
 > Sent: Thursday, April 11, 2002 6:07 AM
 > To: Robert Wagner
 > Cc: snort-sigs at lists.sourceforge.net
 > Subject: Re: [Snort-sigs] I need a rule for synk4.c attack
 >
 >
 > Hi,
 >
 > I have dumped the packet with tcpdum -xX:
 > 17:38:26.440348 10.10.10.10.1322 > 10.15.0.27.http: SW
 > 674719801:674719801(0) win 65535
 > 0x0000   4500 0028 8ea8 0000 1e06 efea 0a0a 0a0a        E..(............
 > 0x0010   0a0f 001b 052a 0050 2837 6839 0000 0000        .....*.P(7h9....
 > 0x0020   5082 ffff fb3a 0000                            P....:..
 >
 > And I have studied the source code of the program; there is no data at
 > all. Then I have made this change in the source code:
 >   th.fin=1 (tcp header fin bit)
 > to send FIN bit also, and executed the program.
 > Here is the tcpdump:
 > 12:27:16.970348 10.10.10.10.sa-msg-port > 10.15.0.27.http: SFW
 > 674719801:674719801(0) win 65535
 > 0x0000   4500 0028 5cfa 0000 1e06 2199 0a0a 0a0a        E..(\.....!.....
 > 0x0010   0a0f 001b 066e 0050 2837 6839 0000 0000        .....n.P(7h9....
 > 0x0020   5183 ffff f8f5 0000                            Q.......
 >
 > And snort see it as a portscan:
 > SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertMsg.7.26 spp_portscan:
 > portscan status from 10.10.10.10: 1 connections across 1 hosts: TCP(1),
 > UDP(0)
 > SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertSrcAddress.7.27 
"10.10.10.10"
 > SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertScanDuration.7.27 495
 > SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertScannedHosts.7.27 1
 > SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertTCPScanCount.7.27 1
 > SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertUDPScanCount.7.27 0
 > SNORT-INTRUSION-DETECTION-ALERT-MIB::sidaAlertEventStatus.7.27 inProgress
 >
 > But, I wonder why snort can not detect it when there is no FIN bit ?
 >
 > What should I do ?
 >
 > P.S.: If you want, I can send the program also (synk4.c).
 >
 > Thanks.
 > Ali
 >
 > Robert Wagner wrote:
 >
 >
 >>Try running TCPDUMP and capture the entire packet - data and all. 
TCPDUMP
 >>
 >
 >
 >
 >>-xX
 >>Most of the signature are triggered off of the content within the packet.
 >>
 >>-----Original Message-----
 >>From: Ali BASEL [mailto:alib at ...505...]
 >>Sent: Wednesday, April 10, 2002 8:40 AM
 >>To: snort-sigs at lists.sourceforge.net
 >>Subject: [Snort-sigs] I need a rule for synk4.c attack
 >>
 >>
 >>Hi,
 >>
 >>How can I write a snort (snort 1.8.6) rule for the synk4.c syn flood
 >>(with spoofed IP) attack program ?
 >>
 >>Here is the tcpdump of the attack:(destination port 80 supplied as an
 >>argument)
 >>cat TCP\:1368-80
 >>04/09-17:05:43.860348 10.10.10.10:1368 -> 10.15.0.27:80
 >>TCP TTL:30 TOS:0x0 ID:29579 IpLen:20 DgmLen:40
 >>1*****S* Seq: 0x28376839  Ack: 0x0  Win: 0xFFFF  TcpLen: 20
 >>
 >>I have tried the above rule to detect the attack, but It doesn't
 >>recognize it (I have changed the sequence number of the original rule)
 >>
 >>alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood";
 >>flags: S; seq: 674719801; reference:arachnids,253;
 >>classtype:attempted-dos; sid:241; rev:2;)
 >>
 >>
 >>
 >


-- 
Iyi Calismalar

Ali BASEL

Sabanci University
IT Dept.
Tel: +90 216 483 91 94
Http://people.sabanciuniv.edu/~alib






More information about the Snort-sigs mailing list