[Snort-sigs] RE: Trying to capture web traffic

Paul Schmehl pauls at ...1311...
Tue Feb 17 09:12:24 EST 2004

--On Tuesday, February 17, 2004 10:19 AM -0600 JMMel <jmelvin1 at ...480...> 

> Anyone tried to tackle this yet, thanks!

John you obviously know what you're doing, so I expect the answer to this 
to be "of course", but you *are* starting snort with the -o switch so pass 
rules will be parsed first, right?

> John
>  -----Original Message-----
> From: 	JMMel [mailto:jmelvin1 at ...480...]
> Sent:	Monday, February 16, 2004 12:00 PM
> To:	'snort-sigs at lists.sourceforge.net'
> Subject:	Trying to capture web traffic
> All,
> Brief synopsis:  A rootkit is installed that initiates a reverse shell
> back to attacker when triggered by a crafted packet aimed at any port the
> victim has open.  The reverse shell is TCP with a full handshake
> (although it's encrypted) so, I know the IP that is triggering the
> reverse shell. However, the IP changes daily (either dynamically, or RAS,
> or multiple owned systems, etc) so I can't set rules up to log by IP.
> Also, the victim is a public web server and they don't log every
> connection.  When looking at the logs I have from FW's and victim I can't
> see what the trigger packet is that wakes up the reverse shell.  The big
> issue is their IDS and FW only log web traffic that fits a particular
> signature string, otherwise port 80 inbound is dropped cause there is
> just so much of it.
> Problem:  I figure the trigger packet is coming inbound to port 80 and
> hiding among tons of legit traffic, probably an HTTP continuation packet
> to try and spoof proxies and such.... it could be a GET or POST or HEAD or
> anything like that too, just don't know since the logs are not capturing
> this.  Right now, I just don't see the precursor for when the victim
> imitates the reverse shell....
> So...I want to be able to log all data sent to the server to port 80, try
> to capture some server replies, but pass everything else on port 80.  For
> this purpose will be the server (victim):
># This should capture almost all GETs, POSTs and HEADs, etc I would think
> log tcp any any -> 80 (flags: PA;)
> log tcp any any -> 80 (flags: SP;)
># This should capture any data sent, odd but allowed per RFC
> log tcp any any -> 80 (flags: S; dsize: >1;)
> log tcp any any -> 90 (flags: A: dsize: >1;)
> ....
> My BIG issue is this:  How can I log some server replies but pass
> everything else.  For instance, if I want to capture PUSH/ACKs with HTTP
> status code, BUT pass all other PA's how can I do it????
># This doesn't seem to work, I would think ANY PUSH/ACK without the content
> of HTTP/1.1 within the first 20 bytes of data would be passed.
> pass tcp 80 -> any any (flags: AP; content: !"HTTP/1.1 "; depth:
> 20;)
>#  The below rules I added to discard all other replies:
> pass tcp 80 -> any any (flags: A;)
> pass tcp 80 -> any any (flags: RA;)
> pass tcp 80 -> any any (flags: FA;)
> ....etc.... all other flag combos.....
># the final rules are to capture everything
> log tcp any any <> any
> log udp any any <> any
> log icmp any any <> any
> So, the problem is I not only capture all the server HTTP status code
> replies but all PUSH/ACKs from the server.  I tried making the
> pass tcp 80 -> any any (flags: AP; content: !"HTTP/1.1 "; depth:
> 20;)
> into a log statement instead and getting rid of the "!" identifier, then
> adding a pass statement:
> pass tcp 80 > any any (flags: AP;) below it, but then I don't
> get any packets with a PUSH/ACK.
> Does this have something to do with the order of the rules.  I'm assuming
> if you put a pass statement in that would override a log statement above
> that the pass statement would apply?  If so, why doesn't my pass
> statement saying all PUSH/ACKs without content HTTP/1.1 work, why am I
> still seeing ALL PUSH/ACKs?  This is beyond me, can't figure it out....
> help
> John
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.552 / Virus Database: 344 - Release Date: 12/15/2003
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.552 / Virus Database: 344 - Release Date: 12/15/2003
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list