[Snort-sigs] Traceroute test
Esler, Joel Contractor
EslerJ at ...785...
Tue Jun 17 10:57:01 EDT 2003
Yeah I screwed that all up. I hate it when I write an email while
thinking.. Then by the time the responses get here and I feel stupid, I've
already figured it out.. Haha
From: Dirk Mueller [mailto:dmuell at ...433...]
Sent: Tuesday, June 17, 2003 1:17 PM
To: 'snort-sigs at lists.sourceforge.net'
Subject: Re: [Snort-sigs] Traceroute test
On Die, 17 Jun 2003, Esler, Joel Contractor wrote:
> Since traceroute starts on port 33435 udp... We can write a rule to
> detect traceroutes...
thats not true, it will use any port between 33435 and 33445, but even that
can be configured.
> Alert udp $HOME_NET >33435 -> $EXTERNAL_NET any (msg:"Traceroute";
Wrong. SYN only exists for TCP, not for UDP.
> Alert udp $HOME_NET 33435:65535 -> $EXTERNAL_NET any
> (msg:"Traceroute";) ??
that would match it, but also produce about half a bazillion false
Anyway, it depends pretty much on what you want to detect:
a) all possible traceroute attempts
Then this rule is not enough. one can use TCP and ICMP and any other IP
protocol for tracerouting as well. Things to watch for are very low TTL
fields in the header (lets say < 10), because usually they rarely occur in
normal traffic. also you can traceroute against any port (also things like
port 53, though when it happens to be open you won't get a useful result)
b) a very specific traceroute attempt (using a specific application)
Usually traceroute implementations send packets with a certain, fixed data
payload. you should check for such packets with matching payload. this gives
a certain safety in detecting specfic applications. It might be even better
to check for this content in the ICMP "Port unreachable" reply that is sent
by the host that is tracerouted.
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs