[Snort-sigs] SID 4638

Paul Schmehl pauls at ...1311...
Fri Jun 1 17:10:08 EDT 2007


--On Friday, June 01, 2007 16:00:49 -0500 Paul Schmehl <pauls at ...1311...> 
wrote:

> --On Friday, June 01, 2007 22:19:27 +0200 rmkml <rmkml at ...324...> wrote:
>
>> and do you have false alert if you add ip_proto:46; on this rules ?
>
> I don't think that's possible, is it?  This rule is looking at the data
> in a packet *not* at the IP header.  You would need to sort that out
> first, and I don't think snort has that ability.  Or is the data going to
> include the protocol somehow?  The tenth byte of the IP header would tell
> you what the protocol is, but I don't think snort has rule syntax that
> looks at that.  (I could definitely be wrong.)

After reviewing the docs, I see that I am definitely wrong.  Furthermore, 
this would probably be an excellent improvement to this rule.

So I assume it would look like this, because you would want to check for 
the protocol first and reject at the point if it doesn't match, right?

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol 
zero length object DoS attempt"; ip_proto:"46"; content:"|01|"; depth:1; 
offset:11; byte_test:1,<,4,13; 
pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm"; 
reference:url,www.frsirt.com/english/advisories/2005/0411; 
classtype:attempted-dos; sid:4638; rev:3; )

Or would you need to use the hex?

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol 
zero length object DoS attempt"; ip_proto:"|2E|"; content:"|01|"; depth:1; 
offset:11; byte_test:1,<,4,13; 
pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm"; 
reference:url,www.frsirt.com/english/advisories/2005/0411; 
classtype:attempted-dos; sid:4638; rev:3; )

Or I suppose you could do:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol 
zero length object DoS attempt"; ip_proto:"rsvp"; content:"|01|"; depth:1; 
offset:11; byte_test:1,<,4,13; 
pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm"; 
reference:url,www.frsirt.com/english/advisories/2005/0411; 
classtype:attempted-dos; sid:4638; rev:3; )

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070601/f0fa9bbc/attachment.bin>


More information about the Snort-sigs mailing list