[Snort-sigs] Traceroute test

Esler, Joel Contractor EslerJ at ...785...
Tue Jun 17 10:57:01 EDT 2003

Yeah I screwed that all up.  I hate it when I write an email while
thinking..  Then by the time the responses get here and I feel stupid, I've
already figured it out..  Haha


-----Original Message-----
From: Dirk Mueller [mailto:dmuell at ...433...] 
Sent: Tuesday, June 17, 2003 1:17 PM
To: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] Traceroute test

On Die, 17 Jun 2003, Esler, Joel  Contractor wrote:

> Since traceroute starts on port 33435 udp...  We can write a rule to 
> detect traceroutes...

thats not true, it will use any port between 33435 and 33445, but even that 
can be configured. 

> Alert udp $HOME_NET >33435 -> $EXTERNAL_NET any (msg:"Traceroute";
> flags:S+;")
> Right??

Wrong. SYN only exists for TCP, not for UDP. 

> Alert udp $HOME_NET 33435:65535 -> $EXTERNAL_NET any 
> (msg:"Traceroute";) ??

that would match it, but also produce about half a bazillion false 

Anyway, it depends pretty much on what you want to detect: 

a) all possible traceroute attempts

Then this rule is not enough. one can use TCP and ICMP and any other IP 
protocol for tracerouting as well. Things to watch for are very low TTL 
fields in the header (lets say < 10), because usually they rarely occur in 
normal traffic. also you can traceroute against any port (also things like 
port 53, though when it happens to be open you won't get a useful result)

b) a very specific traceroute attempt (using a specific application)

Usually traceroute implementations send packets with a certain, fixed data
payload. you should check for such packets with matching payload. this gives

a certain safety in detecting specfic applications. It might be even better 
to check for this content in the ICMP "Port unreachable" reply that is sent 
by the host that is tracerouted. 


This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list