[Snort-sigs] Traceroute test
dmuell at ...433...
Tue Jun 17 10:17:15 EDT 2003
On Die, 17 Jun 2003, Esler, Joel Contractor wrote:
> Since traceroute starts on port 33435 udp... We can write a rule to detect
thats not true, it will use any port between 33435 and 33445, but even that
can be configured.
> Alert udp $HOME_NET >33435 -> $EXTERNAL_NET any (msg:"Traceroute";
Wrong. SYN only exists for TCP, not for UDP.
> Alert udp $HOME_NET 33435:65535 -> $EXTERNAL_NET any (msg:"Traceroute";) ??
that would match it, but also produce about half a bazillion false
Anyway, it depends pretty much on what you want to detect:
a) all possible traceroute attempts
Then this rule is not enough. one can use TCP and ICMP and any other IP
protocol for tracerouting as well. Things to watch for are very low TTL
fields in the header (lets say < 10), because usually they rarely occur in
normal traffic. also you can traceroute against any port (also things like
port 53, though when it happens to be open you won't get a useful result)
b) a very specific traceroute attempt (using a specific application)
Usually traceroute implementations send packets with a certain, fixed data
payload. you should check for such packets with matching payload. this gives
a certain safety in detecting specfic applications. It might be even better
to check for this content in the ICMP "Port unreachable" reply that is sent
by the host that is tracerouted.
More information about the Snort-sigs