[Snort-users] ICMP-Tunneling Preprocessor to IT-Rule

Thomas Walpuski thomas.walpuski at ...158...
Mon Jan 15 12:02:29 EST 2001


I first wanted to write a ICMP-Tunneling-Rule, but it did not know how, because it is impossible to say: "All packets with payload that does NOT include THIS ale ICMP-Tunnelings". So i wrote this Snort Preprocessor Pluging:

<spp_icmp_tunnel.h>
#include "snort.h"

#ifndef __SPP_ICMP_TUNNEL_H__
#define __SPP_ICMP_TUNNEL_H__

void SetupIcmpTunnel();
void IcmpTunnelInit(u_char *);
void IcmpTunnelPreprocFunction(Packet *);

#endif	/* __SPP_ICMP_TUNNEL_H__ */

<spp_icmp_tunnel.h>

#define MODNAME "spp_icmp_tunnel"

#include "spp_icmp_tunnel.h"

void SetupIcmpTunnel(void)
{
	RegisterPreprocessor("icmptunnel", IcmpTunnelInit);
}

void IcmpTunnelInit(u_char *args)
{
	AddFuncToPreprocList(IcmpTunnelPreprocFunction);
}

void IcmpTunnelPreprocFunction(Packet *p)
{
	if(!(p->iph && p->iph->ip_proto == IPPROTO_ICMP && (p->icmph->type == ICMP_ECHOREPLY || p->icmph->type == ICMP_ECHO)))
	{
		return;
	}

	p->data += 23;

	if (strncmp(p->data, "!\"#$%&'()*+,-./01234567\0", 23) != 0)
		printf ("ICMP-Tunneling Alert\n");
}

If there is a way to write a rule instead of this spp, please tell me how! If it's impossible, can't someone make it possible ?
-- 
Thomas Walpuski

OpenBSD - Free, Functional, Secure




More information about the Snort-users mailing list