[Snort-sigs] Urgent Pointer

Geoffrey Serrao gserrao at ...435...
Fri Jul 1 15:19:28 EDT 2016


Hey Ray,

I've written a couple of shared object rules as an experiment to see if
what you needed could be accomplished. As it turns out, it can be done!

Sid 3:1000000 checks for a nonzero URG pointer field without URG flag set.
Sid 3:1000001 checks for nonzero ACK field without ACK flag set.

##### 13.pcap #####
        [116:422:2] (snort_decoder) WARNING: TCP PDU missing ack for
established session (alerts: 2)
        [3:1000001:2] PROTOCOL-OTHER TCP packet with nonzero ACK number ACK
flag not set (alerts: 2)
        [3:1000000:2] PROTOCOL-OTHER TCP packet with nonzero URG pointer
and URG flag not set (alerts: 2)
#####


Note: in order for the decoder rule 116:422 to fire I believe that the
PUSH, URG, or FIN flag must be set in the packet:

decode.c
5577     if ( Event_Enabled(DECODE_TCP_MUST_ACK) )


5578         if ( (p->tcph->th_flags & (TH_FIN|TH_PUSH|TH_URG)) &&


5579             !(p->tcph->th_flags & TH_ACK) )


5580             DecoderEvent(p, EVARGS(TCP_MUST_ACK), 1, 1);


But I think it's possible that a covert channel could send messages using
the ack number without setting any of those flags.

On Thu, Jun 30, 2016 at 9:06 PM, Pittigher, Raymond <RPITTIGH at ...4165...>
wrote:

> I have attacked a pcap file. What I would like to do is run captures
> through snort so I can look for covert channels. We assume people might be
> using these fields, and maybe others, to transmit data to another node. It
> would be nice to automatically detect when things like the urgent pointer
> is set without the flag, or having ack data without the flag.
>
>
> -
> Ray Pittigher
> --Harris
> --phone 973-284-2275
> --email raymond.pittigher at ...4165...
> ------------------------------
> *From:* Geoffrey Serrao <gserrao at ...435...>
> *Sent:* Thursday, June 30, 2016 8:54 PM
> *To:* Pittigher, Raymond (U.S. Person)
> *Cc:* Al Lewis (allewi); snort-sigs at lists.sourceforge.net
>
> *Subject:* Re: [Snort-sigs] Urgent Pointer
>
> Hey Ray,
>
> Sounds like an interesting problem. Do you have a pcap you could share?
>
> The uint16 that is the urgent pointer is not available to analyze in a
> text rule, but the URG flag can be checked in a text rule. However, it
> might be possible to write a shared object rule to check for a nonzero
> urgent pointer and alert/block:
>
> typedef struct _TCPHeader
> {
>     uint16_t source_port;
>     uint16_t destination_port;
>     uint32_t sequence;
>     uint32_t acknowledgement;
>     uint8_t offset_reserved;
>     uint8_t flags;
>     uint16_t window;
>     uint16_t checksum;
>     uint16_t urgent_pointer;
> } TCPHeader;
>
>
> You can also configure the normalize preprocessor to zero this pointer if
> the URG flag is not set. This won't generate an alert (though it will be
> reflected in the normalizer stats) but since this is related here is the
> option to set:
>
> req_urg:  clear the urgent pointer if the urgent flag is not set.
>
> On Thu, Jun 30, 2016 at 3:34 PM, Pittigher, Raymond <RPITTIGH at ...4165...>
> wrote:
>
>> Here are 2 captures of the things I am trying to catch
>>
>>
>>
>> -
>> Ray Pittigher
>> --Harris
>> --phone 973-284-2275
>> --email raymond.pittigher at ...4165...
>>
>> ________________________________________
>> From: Al Lewis (allewi) <allewi at ...3865...>
>> Sent: Thursday, June 30, 2016 2:03 PM
>> To: Pittigher, Raymond (U.S. Person); snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Urgent Pointer
>>
>> Can you provide an example of the rule/pcap and what you are trying to do?
>>
>> Thanks.
>>
>> Albert Lewis
>> QA SNORT/Sourcefire
>> SOURCEfire, Inc. now part of Cisco
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>> Email: allewi at ...3865...
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 6/30/16, 1:55 PM, "Pittigher, Raymond" <RPITTIGH at ...4165...> wrote:
>>
>> >I tried the ack keyword but I found no option for !0 or looking for
>> anything but zero. It seems to either want 0 or a exact number.
>> >
>> >
>> >-
>> >Ray Pittigher
>> >--Harris
>> >--phone 973-284-2275
>> >--email raymond.pittigher at ...4165...
>> >
>> >________________________________________
>> >From: Al Lewis (allewi) <allewi at ...3865...>
>> >Sent: Thursday, June 30, 2016 1:49 PM
>> >To: Pittigher, Raymond (U.S. Person); snort-sigs at lists.sourceforge.net
>> >Subject: Re: [Snort-sigs] Urgent Pointer
>> >
>> >Offset is used for content.
>> >
>> >Try this:
>> >
>> >For flags:
>> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html#SECTION00468000000000000000
>> >
>> >For ack number:
>> http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html#SECTION004612000000000000000
>> >
>> >
>> >Thanks.
>> >
>> >Albert Lewis
>> >QA SNORT/Sourcefire
>> >SOURCEfire, Inc. now part of Cisco
>> >9780 Patuxent Woods Drive
>> >Columbia, MD 21046
>> >Email: allewi at ...3865...
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >On 6/30/16, 1:29 PM, "Pittigher, Raymond" <RPITTIGH at ...4165...> wrote:
>> >
>> >>I am trying, but have not succeeded yet, to read data in the "urgent
>> pointer" or "acknowledgement number" fields. I am trying with the offset
>> option assuming it must be a negative number? I am using snort on the
>> command line with a pcap file. Anybody ever do this?
>>
>> >>------------------------------------------------------------------------------
>> >>Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>> >>Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>> >>present their vision of the future. This family event has something for
>> >>everyone, including kids. Get more information and register today.
>> >>http://sdm.link/attshape
>> >>_______________________________________________
>> >>Snort-sigs mailing list
>> >>Snort-sigs at lists.sourceforge.net
>> >>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >>http://www.snort.org
>> >>
>> >>
>> >>Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>> ------------------------------------------------------------------------------
>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>> present their vision of the future. This family event has something for
>> everyone, including kids. Get more information and register today.
>> http://sdm.link/attshape
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160701/a565ff25/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: protocol-other_covert-channel-urg.c
Type: text/x-csrc
Size: 6498 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160701/a565ff25/attachment.c>


More information about the Snort-sigs mailing list