[Snort-sigs] Urgent Pointer

Pittigher, Raymond RPITTIGH at ...4165...
Fri Jul 1 19:00:51 EDT 2016


Thanks, I will have to give it a try next week when I get back in.


-
Ray Pittigher
--Harris
--phone 973-284-2275
--email raymond.pittigher at ...4165...
________________________________
From: Geoffrey Serrao <gserrao at ...435...>
Sent: Friday, July 1, 2016 3:19 PM
To: Pittigher, Raymond (U.S. Person)
Cc: Al Lewis (allewi); snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Urgent Pointer

Hey Ray,

I've written a couple of shared object rules as an experiment to see if what you needed could be accomplished. As it turns out, it can be done!

Sid 3:1000000 checks for a nonzero URG pointer field without URG flag set.
Sid 3:1000001 checks for nonzero ACK field without ACK flag set.

##### 13.pcap #####
        [116:422:2] (snort_decoder) WARNING: TCP PDU missing ack for established session (alerts: 2)
        [3:1000001:2] PROTOCOL-OTHER TCP packet with nonzero ACK number ACK flag not set (alerts: 2)
        [3:1000000:2] PROTOCOL-OTHER TCP packet with nonzero URG pointer and URG flag not set (alerts: 2)
#####


Note: in order for the decoder rule 116:422 to fire I believe that the PUSH, URG, or FIN flag must be set in the packet:

decode.c
5577     if ( Event_Enabled(DECODE_TCP_MUST_ACK) )
5578         if ( (p->tcph->th_flags & (TH_FIN|TH_PUSH|TH_URG)) &&
5579             !(p->tcph->th_flags & TH_ACK) )
5580             DecoderEvent(p, EVARGS(TCP_MUST_ACK), 1, 1);


But I think it's possible that a covert channel could send messages using the ack number without setting any of those flags.

On Thu, Jun 30, 2016 at 9:06 PM, Pittigher, Raymond <RPITTIGH at ...4165...<mailto:RPITTIGH at ...4165...>> wrote:

I have attacked a pcap file. What I would like to do is run captures through snort so I can look for covert channels. We assume people might be using these fields, and maybe others, to transmit data to another node. It would be nice to automatically detect when things like the urgent pointer is set without the flag, or having ack data without the flag.


-
Ray Pittigher
--Harris
--phone 973-284-2275<tel:973-284-2275>
--email raymond.pittigher at ...4165...<mailto:raymond.pittigher at ...4165...>
________________________________
From: Geoffrey Serrao <gserrao at ...435...<mailto:gserrao at ...435...>>
Sent: Thursday, June 30, 2016 8:54 PM
To: Pittigher, Raymond (U.S. Person)
Cc: Al Lewis (allewi); snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...184...ists.sourceforge.net>

Subject: Re: [Snort-sigs] Urgent Pointer

Hey Ray,

Sounds like an interesting problem. Do you have a pcap you could share?

The uint16 that is the urgent pointer is not available to analyze in a text rule, but the URG flag can be checked in a text rule. However, it might be possible to write a shared object rule to check for a nonzero urgent pointer and alert/block:

typedef struct _TCPHeader
{
    uint16_t source_port;
    uint16_t destination_port;
    uint32_t sequence;
    uint32_t acknowledgement;
    uint8_t offset_reserved;
    uint8_t flags;
    uint16_t window;
    uint16_t checksum;
    uint16_t urgent_pointer;
} TCPHeader;


You can also configure the normalize preprocessor to zero this pointer if the URG flag is not set. This won't generate an alert (though it will be reflected in the normalizer stats) but since this is related here is the option to set:

req_urg:  clear the urgent pointer if the urgent flag is not set.

On Thu, Jun 30, 2016 at 3:34 PM, Pittigher, Raymond <RPITTIGH at ...4165...<mailto:RPITTIGH at ...4165...>> wrote:
Here are 2 captures of the things I am trying to catch



-
Ray Pittigher
--Harris
--phone 973-284-2275<tel:973-284-2275>
--email raymond.pittigher at ...4165...<mailto:raymond.pittigher at ...4165...>

________________________________________
From: Al Lewis (allewi) <allewi at ...3865...<mailto:allewi at ...3865...>>
Sent: Thursday, June 30, 2016 2:03 PM
To: Pittigher, Raymond (U.S. Person); snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] Urgent Pointer

Can you provide an example of the rule/pcap and what you are trying to do?

Thanks.

Albert Lewis
QA SNORT/Sourcefire
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Email: allewi at ...3865...<mailto:allewi at ...3865...>









On 6/30/16, 1:55 PM, "Pittigher, Raymond" <RPITTIGH at ...4165...<mailto:RPITTIGH at ...4165...>> wrote:

>I tried the ack keyword but I found no option for !0 or looking for anything but zero. It seems to either want 0 or a exact number.
>
>
>-
>Ray Pittigher
>--Harris
>--phone 973-284-2275<tel:973-284-2275>
>--email raymond.pittigher at ...4165...<mailto:raymond.pittigher at ...4165...>
>
>________________________________________
>From: Al Lewis (allewi) <allewi at ...3865...<mailto:allewi at ...3865...>>
>Sent: Thursday, June 30, 2016 1:49 PM
>To: Pittigher, Raymond (U.S. Person); snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
>Subject: Re: [Snort-sigs] Urgent Pointer
>
>Offset is used for content.
>
>Try this:
>
>For flags: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html#SECTION00468000000000000000<https://vpn.harris.com/,DanaInfo=manual-snort-org.s3-website-us-east-1.amazonaws.com+node33.html#SECTION00468000000000000000>
>
>For ack number: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html#SECTION004612000000000000000<https://vpn.harris.com/,DanaInfo=manual-snort-org.s3-website-us-east-1.amazonaws.com+node33.html#SECTION004612000000000000000>
>
>
>Thanks.
>
>Albert Lewis
>QA SNORT/Sourcefire
>SOURCEfire, Inc. now part of Cisco
>9780 Patuxent Woods Drive
>Columbia, MD 21046
>Email: allewi at ...3865...<mailto:allewi at ...3865...>
>
>
>
>
>
>
>
>
>On 6/30/16, 1:29 PM, "Pittigher, Raymond" <RPITTIGH at ...4165...<mailto:RPITTIGH at ...4165...>> wrote:
>
>>I am trying, but have not succeeded yet, to read data in the "urgent pointer" or "acknowledgement number" fields. I am trying with the offset option assuming it must be a negative number? I am using snort on the command line with a pcap file. Anybody ever do this?
>>------------------------------------------------------------------------------
>>Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>>Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>>present their vision of the future. This family event has something for
>>everyone, including kids. Get more information and register today.
>>http://sdm.link/attshape<https://vpn.harris.com/,DanaInfo=sdm.link+attshape>
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs<https://vpn.harris.com/lists/listinfo/,DanaInfo=lists.sourceforge.net,SSL+snort-sigs>
>>http://www.snort.org<https://vpn.harris.com/,DanaInfo=www.snort.org+>
>>
>>
>>Please visit http://blog.snort.org<https://vpn.harris.com/,DanaInfo=blog.snort.org+> for the latest news about Snort!

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape<https://vpn.harris.com/,DanaInfo=sdm.link+attshape>
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs<https://vpn.harris.com/lists/listinfo/,DanaInfo=lists.sourceforge.net,SSL+snort-sigs>
http://www.snort.org<https://vpn.harris.com/,DanaInfo=www.snort.org+>


Please visit http://blog.snort.org<https://vpn.harris.com/,DanaInfo=blog.snort.org+> for the latest news about Snort!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160701/dd3a15e1/attachment.html>


More information about the Snort-sigs mailing list