[Snort-sigs] SID 4638

Alex Kirk alex.kirk at ...435...
Mon Jun 4 09:29:44 EDT 2007


Paul Schmehl wrote:
> --On Friday, June 01, 2007 16:00:49 -0500 Paul Schmehl 
> <pauls at ...1311...> wrote:
>
>> --On Friday, June 01, 2007 22:19:27 +0200 rmkml <rmkml at ...324...> wrote:
>>
>>> and do you have false alert if you add ip_proto:46; on this rules ?
>>
>> I don't think that's possible, is it?  This rule is looking at the data
>> in a packet *not* at the IP header.  You would need to sort that out
>> first, and I don't think snort has that ability.  Or is the data 
>> going to
>> include the protocol somehow?  The tenth byte of the IP header would 
>> tell
>> you what the protocol is, but I don't think snort has rule syntax that
>> looks at that.  (I could definitely be wrong.)
>
> After reviewing the docs, I see that I am definitely wrong.  
> Furthermore, this would probably be an excellent improvement to this 
> rule.
>
> So I assume it would look like this, because you would want to check 
> for the protocol first and reject at the point if it doesn't match, 
> right?
>
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP 
> Protocol zero length object DoS attempt"; ip_proto:"46"; 
> content:"|01|"; depth:1; offset:11; byte_test:1,<,4,13; 
> pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm"; 
> reference:url,www.frsirt.com/english/advisories/2005/0411; 
> classtype:attempted-dos; sid:4638; rev:3; )
>
> Or would you need to use the hex?
>
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP 
> Protocol zero length object DoS attempt"; ip_proto:"|2E|"; 
> content:"|01|"; depth:1; offset:11; byte_test:1,<,4,13; 
> pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm"; 
> reference:url,www.frsirt.com/english/advisories/2005/0411; 
> classtype:attempted-dos; sid:4638; rev:3; )
>
> Or I suppose you could do:
>
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP 
> Protocol zero length object DoS attempt"; ip_proto:"rsvp"; 
> content:"|01|"; depth:1; offset:11; byte_test:1,<,4,13; 
> pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm"; 
> reference:url,www.frsirt.com/english/advisories/2005/0411; 
> classtype:attempted-dos; sid:4638; rev:3; )
It turns out that the best way to go is:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol 
zero length object DoS attempt"; ip_proto:46; content:"|01|"; depth:1; 
offset:11; byte_test:1,<,4,13; 
pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm"; 
reference:url,www.frsirt.com/english/advisories/2005/0411; 
classtype:attempted-dos; sid:4638; rev:3;)

Having quotes around the number causes parser errors, and using the 
protocol number avoids any possible confusion when examining the packet 
(the likelihood of which is extremely low anyway, but it doesn't hurt to 
be safe). In any case, this is definitely a good addition to the rule, 
and it will be released in a forthcoming rulepack.

Alex Kirk
Research Analyst
Sourcefire, Inc.




More information about the Snort-sigs mailing list