[Snort-sigs] Signatures for Xprobe

Kyle Haugsness kyle.haugsness at ...329...
Thu Jan 31 08:06:06 EST 2002


I was doing some research with the Xprobe tool (by Ofir Arkin and Fyodor
Yarochkin) and found that Snort doesn't seem to have signatures for it.  I
looked into snort-rules-current and the mailing list archives.  I'd like to
submit the following signatures for review and inclusion, if possible.
Seems that they would best go in "icmp.rules" (where some other ICMP attacks
are located).

The first packet sent by Xprobe always has the same unique characteristics.
The packet is a UDP datagram that is always 70 bytes long and the data
portion of the datagram is filled with 0x00 bytes.  Additionally, the first
packet has the UDP don't fragment bit set, although Snort doesn't have an
option to trigger on this (is this right?).  Here is a Snort rule to alert
on the first packet sent by Xprobe:

>  alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Xprobe OS Fingerprint
- First Packet"; dsize: 70; content: "|0000 0000|"; classtype:

Depending on the results from the first packet, Xprobe may send additional
packets.  If it sends an ICMP echo request to the target host, it will
contain the message code "123".  Here are the Snort rules to detect ICMP
echo and echo reply packets of this nature:

> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Request
(Xprobe OS Fingerprint)"; itype: 8; icode: 123; content: "|0000 0000|";)

> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply
(Xprobe OS Fingerprint Reply)"; itype: 0; icode: 123; content: "|0000

Finally, (depending on the target) the Xprobe tool will send an ICMP
timestamp request and/or an ICMP address mask request to the target, but
there doesn't appear to be any unique parameters in these messages.  The
rules in "icmp-info.rules" will catch these packets.

Thoughts?  Comments?

Kyle Haugsness

More information about the Snort-sigs mailing list