[Snort-sigs] Trying to capture web traffic

JMMel jmelvin1 at ...480...
Mon Feb 16 10:01:04 EST 2004


Brief synopsis:  A rootkit is installed that initiates a reverse shell back
to attacker when triggered by a crafted packet aimed at any port the victim
has open.  The reverse shell is TCP with a full handshake (although it's
encrypted) so, I know the IP that is triggering the reverse shell. However,
the IP changes daily (either dynamically, or RAS, or multiple owned systems,
etc) so I can't set rules up to log by IP.  Also, the victim is a public web
server and they don't log every connection.  When looking at the logs I have
from FW's and victim I can't see what the trigger packet is that wakes up
the reverse shell.  The big issue is their IDS and FW only log web traffic
that fits a particular signature string, otherwise port 80 inbound is
dropped cause there is just so much of it.

Problem:  I figure the trigger packet is coming inbound to port 80 and
hiding among tons of legit traffic, probably an HTTP continuation packet to
try and spoof proxies and such.... it could be a GET or POST or HEAD or
anything like that too, just don't know since the logs are not capturing
this.  Right now, I just don't see the precursor for when the victim
imitates the reverse shell....

So...I want to be able to log all data sent to the server to port 80, try to
capture some server replies, but pass everything else on port 80.  For this
purpose will be the server (victim):

# This should capture almost all GETs, POSTs and HEADs, etc I would think
log tcp any any -> 80 (flags: PA;)
log tcp any any -> 80 (flags: SP;)
# This should capture any data sent, odd but allowed per RFC
log tcp any any -> 80 (flags: S; dsize: >1;)
log tcp any any -> 90 (flags: A: dsize: >1;)
My BIG issue is this:  How can I log some server replies but pass everything
else.  For instance, if I want to capture PUSH/ACKs with HTTP status code,
BUT pass all other PA's how can I do it????

# This doesn't seem to work, I would think ANY PUSH/ACK without the content
of HTTP/1.1 within the first 20 bytes of data would be passed.
pass tcp 80 -> any any (flags: AP; content: !"HTTP/1.1 "; depth:
#  The below rules I added to discard all other replies:
pass tcp 80 -> any any (flags: A;)
pass tcp 80 -> any any (flags: RA;)
pass tcp 80 -> any any (flags: FA;)
....etc.... all other flag combos.....
#the final rules are to capture everything
log tcp any any <> any
log udp any any <> any
log icmp any any <> any

So, the problem is I not only capture all the server HTTP status code
replies but all PUSH/ACKs from the server.  I tried making the
pass tcp 80 -> any any (flags: AP; content: !"HTTP/1.1 "; depth:
into a log statement instead and getting rid of the "!" identifier, then
adding a pass statement:
pass tcp 80 > any any (flags: AP;) below it, but then I don't get
any packets with a PUSH/ACK.

Does this have something to do with the order of the rules.  I'm assuming if
you put a pass statement in that would override a log statement above that
the pass statement would apply?  If so, why doesn't my pass statement saying
all PUSH/ACKs without content HTTP/1.1 work, why am I still seeing ALL
PUSH/ACKs?  This is beyond me, can't figure it out.... help


Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.552 / Virus Database: 344 - Release Date: 12/15/2003

More information about the Snort-sigs mailing list