[Snort-sigs] Trying to capture web traffic

whipsmack whipsmack0 at ...144...
Tue Feb 17 08:58:03 EST 2004


If this is a duplicate, sorry about that but I kept getting receipt errors according to the UK regulators---  whatever?

-------------

All,

Brief synopsis: A rootkit is installed that initiates a reverse shell back

to attacker when triggered by a crafted packet aimed at any port the victim

has open. The reverse shell is TCP with a full handshake (although it's

encrypted) so, I know the IP that is triggering the reverse shell. However,

the IP changes daily (either dynamically, or RAS, or multiple owned systems,

etc) so I can't set rules up to log by IP. Also, the victim is a public web

server and they don't log every connection. When looking at the logs I have

from FW's and victim I can't see what the trigger packet is that wakes up

the reverse shell. The big issue is their IDS and FW only log web traffic

that fits a particular signature string, otherwise port 80 inbound is

dropped cause there is just so much of it.

Problem: I figure the trigger packet is coming inbound to port 80 and

hiding among tons of legit traffic, probably an HTTP continuation packet to

try and spoof proxies and such.... it could be a GET or POST or HEAD or

anything like that too, just don't know since the logs are not capturing

this. Right now, I just don't see the precursor for when the victim

imitates the reverse shell....

So...I want to be able to log all data sent to the server to port 80, try to

capture some server replies, but pass everything else on port 80. For this

purpose 10.1.1.50 will be the server (victim):

# This should capture almost all GETs, POSTs and HEADs, etc I would think

log tcp any any -> 10.1.1.50 80 (flags: PA;)

log tcp any any -> 10.1.1.50 80 (flags: SP;)

# This should capture any data sent, odd but allowed per RFC

log tcp any any -> 10.1.1.50 80 (flags: S; dsize: >1;)

log tcp any any -> 10.1.1.50 90 (flags: A: dsize: >1;)

#

....

My BIG issue is this: How can I log some server replies but pass everything else. For instance, if I want to capture PUSH/ACKs with HTTP status code, BUT pass all other PA's how can I do it????

# This doesn't seem to work, I would think ANY PUSH/ACK without the content of HTTP/1.1 within the first 20 bytes of data would be passed.

pass tcp 10.1.1.50 80 -> any any (flags: AP; content: !"HTTP/1.1 "; depth: 20;)

# The below rules I added to discard all other replies:

pass tcp 10.1.1.50 80 -> any any (flags: A;)

pass tcp 10.1.1.50 80 -> any any (flags: RA;)

pass tcp 10.1.1.50 80 -> any any (flags: FA;)

....etc.... all other flag combos.....

#

#the final rules are to capture everything

log tcp any any <> 10.1.1.50 any

log udp any any <> 10.1.1.50 any

log icmp any any <> 10.1.1.50 any

So, the problem is I not only capture all the server HTTP status code

replies but all PUSH/ACKs from the server. I tried making the

pass tcp 10.1.1.50 80 -> any any (flags: AP; content: !"HTTP/1.1 "; depth: 20;)

into a log statement instead and getting rid of the "!" identifier, then

adding a pass statement:

pass tcp 10.1.1.50 80 > any any (flags: AP;) below it, but then I don't get

any packets with a PUSH/ACK.

Does this have something to do with the order of the rules. I'm assuming if

you put a pass statement in that would override a log statement above that

the pass statement would apply? If so, why doesn't my pass statement saying

all PUSH/ACKs without content HTTP/1.1 work, why am I still seeing ALL

PUSH/ACKs? This is beyond me, can't figure it out.... help

John 



---------------------------------
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040217/8177dad0/attachment.html>


More information about the Snort-sigs mailing list