[Snort-sigs] SID 1627

Jon warchild at ...288...
Mon Feb 3 16:30:07 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$


alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC
Unassigned/Reserved IP protocol"; ip_proto:>134;
classtype:non-standard-protocol; sid:1627; rev:1;)




An IP packet with an unassigned protocol number was detected.


Possible information disclosure or backdoor activity.

Detailed Information:

As of this writing, of the 256 possible IP protocols, only 0-134 have been
assigned.  This rule caught one of those unassigned protocols on the wire.

Attack Scenarios:

In an effort to map out your network or determine what services you may be
offering or allow, an attacker may send IP packets with carefully
chosen IP protocol numbers.  Some hosts may respond with an "ICMP Destination
Unreachable (Protocol Unreachable)" packet (3:2), and others may not respond
at all.  Depending on how your network/hosts respond, the attacker can get a
better idea of how your network is setup and what to attack.

Following a successful compromise, an attacker may wish to communicate to/from
the compromised machine in a manner that wouldn't be detected by the casual
user.  A good way of doing this would be to use uncommon IP protocols. 

Ease of Attack:

For information gathering, trivial.  nmap provides the ability to do protocol

nmap -sO victim.com

For backdoors and covert communication, it is not as easy.  You'll need
the ability to send recieve packets for this particular protocol.  Such a task
could easily be completed using libnet + libpcap.

False Positives:

None as of this writing.

False Negatives:

None for this *particular* rule.  However, the majority of the assigned
protocols are extremely rare and are hardly ever seen on the wire.  Just
because a protocol is listed as "assigned" does not mean its presence on the
wire is ok.  It may in fact be odd traffic and should be treated with caution.

Corrective Action:

Examine the target host and determine if there is something "listening" for
this particular protocol.  Consider using the conversation preprocessor for
Snort and limit the protocols known to be on your network (icmp 1, tcp 6, udp
17).  This will then alert you when it sees something other than those that
are known.  Consider blocking all unknown or unused protocols on your inbound
and outbound network equipment.


Jon Hart <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list