[Snort-sigs] Traceroute test

Dirk Mueller dmuell at ...433...
Tue Jun 17 10:17:15 EDT 2003


On Die, 17 Jun 2003, Esler, Joel  Contractor wrote:

> Since traceroute starts on port 33435 udp...  We can write a rule to detect
> traceroutes...

thats not true, it will use any port between 33435 and 33445, but even that 
can be configured. 

> Alert udp $HOME_NET >33435 -> $EXTERNAL_NET any (msg:"Traceroute";
> flags:S+;")
> 
> Right??

Wrong. SYN only exists for TCP, not for UDP. 

> Alert udp $HOME_NET 33435:65535 -> $EXTERNAL_NET any (msg:"Traceroute";) ??

that would match it, but also produce about half a bazillion false 
positives. 

Anyway, it depends pretty much on what you want to detect: 

a) all possible traceroute attempts

Then this rule is not enough. one can use TCP and ICMP and any other IP 
protocol for tracerouting as well. Things to watch for are very low TTL 
fields in the header (lets say < 10), because usually they rarely occur in 
normal traffic. also you can traceroute against any port (also things like 
port 53, though when it happens to be open you won't get a useful result)

b) a very specific traceroute attempt (using a specific application)

Usually traceroute implementations send packets with a certain, fixed data
payload. you should check for such packets with matching payload. this gives 
a certain safety in detecting specfic applications. It might be even better 
to check for this content in the ICMP "Port unreachable" reply that is sent 
by the host that is tracerouted. 


-- 
Dirk




More information about the Snort-sigs mailing list