[Snort-sigs] RE: Trying to capture web traffic

whipsmack whipsmack0 at ...144...
Tue Feb 17 09:34:05 EST 2004


Um... no..... I'm not the snort expert by any means..... So, with the -o option, do the rules then have to be in any particular order (i.e. do the pass rules have to be above the logs rules, or vise-versa?)
 
I added the -o but I'm still getting all the PUSH/ACKs...just don't get it, it should be passing all PA without content HTTP/1.1... grrrrrr....

Paul Schmehl <pauls at ...1311...> wrote:


--On Tuesday, February 17, 2004 10:19 AM -0600 JMMel 
wrote:

> Anyone tried to tackle this yet, thanks!

John you obviously know what you're doing, so I expect the answer to this 
to be "of course", but you *are* starting snort with the -o switch so pass 
rules will be parsed first, right?

>
> John
>
> -----Original Message-----
> From: JMMel [mailto:jmelvin1 at ...480...]
> Sent: Monday, February 16, 2004 12:00 PM
> To: 'snort-sigs at lists.sourceforge.net'
> Subject: Trying to capture web traffic
>
> All,
>
> Brief synopsis: A rootkit is installed that initiates a reverse shell
> back to attacker when triggered by a crafted packet aimed at any port the
> victim has open. The reverse shell is TCP with a full handshake
> (although it's encrypted) so, I know the IP that is triggering the
> reverse shell. However, the IP changes daily (either dynamically, or RAS,
> or multiple owned systems, etc) so I can't set rules up to log by IP.
> Also, the victim is a public web server and they don't log every
> connection. When looking at the logs I have from FW's and victim I can't
> see what the trigger packet is that wakes up the reverse shell. The big
> issue is their IDS and FW only log web traffic that fits a particular
> signature string, otherwise port 80 inbound is dropped cause there is
> just so much of it.
>
> Problem: I figure the trigger packet is coming inbound to port 80 and
> hiding among tons of legit traffic, probably an HTTP continuation packet
> to try and spoof proxies and such.... it could be a GET or POST or HEAD or
> anything like that too, just don't know since the logs are not capturing
> this. Right now, I just don't see the precursor for when the victim
> imitates the reverse shell....
>
> So...I want to be able to log all data sent to the server to port 80, try
> to capture some server replies, but pass everything else on port 80. For
> this purpose 10.1.1.50 will be the server (victim):
>
># This should capture almost all GETs, POSTs and HEADs, etc I would think
> log tcp any any -> 10.1.1.50 80 (flags: PA;)
> log tcp any any -> 10.1.1.50 80 (flags: SP;)
># This should capture any data sent, odd but allowed per RFC
> log tcp any any -> 10.1.1.50 80 (flags: S; dsize: >1;)
> log tcp any any -> 10.1.1.50 90 (flags: A: dsize: >1;)
>#
> ....
> My BIG issue is this: How can I log some server replies but pass
> everything else. For instance, if I want to capture PUSH/ACKs with HTTP
> status code, BUT pass all other PA's how can I do it????
>
># This doesn't seem to work, I would think ANY PUSH/ACK without the content
> of HTTP/1.1 within the first 20 bytes of data would be passed.
> pass tcp 10.1.1.50 80 -> any any (flags: AP; content: !"HTTP/1.1 "; depth:
> 20;)
># The below rules I added to discard all other replies:
> pass tcp 10.1.1.50 80 -> any any (flags: A;)
> pass tcp 10.1.1.50 80 -> any any (flags: RA;)
> pass tcp 10.1.1.50 80 -> any any (flags: FA;)
> ....etc.... all other flag combos.....
>#
># the final rules are to capture everything
> log tcp any any <> 10.1.1.50 any
> log udp any any <> 10.1.1.50 any
> log icmp any any <> 10.1.1.50 any
>
> So, the problem is I not only capture all the server HTTP status code
> replies but all PUSH/ACKs from the server. I tried making the
> pass tcp 10.1.1.50 80 -> any any (flags: AP; content: !"HTTP/1.1 "; depth:
> 20;)
> into a log statement instead and getting rid of the "!" identifier, then
> adding a pass statement:
> pass tcp 10.1.1.50 80 > any any (flags: AP;) below it, but then I don't
> get any packets with a PUSH/ACK.
>
> Does this have something to do with the order of the rules. I'm assuming
> if you put a pass statement in that would override a log statement above
> that the pass statement would apply? If so, why doesn't my pass
> statement saying all PUSH/ACKs without content HTTP/1.1 work, why am I
> still seeing ALL PUSH/ACKs? This is beyond me, can't figure it out....
> help
>
> John
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.552 / Virus Database: 344 - Release Date: 12/15/2003
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.552 / Virus Database: 344 - Release Date: 12/15/2003
>
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


---------------------------------
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040217/f97f233e/attachment.html>


More information about the Snort-sigs mailing list