[Snort-users] ICMP-Tunneling Preprocessor to IT-Rule

Martin Roesch roesch at ...421...
Thu Jan 18 01:49:08 EST 2001


Writing a preprocessor is the way to go if you want to detect the kind
of activity that you describe.

     -Marty

Thomas Walpuski wrote:
> 
> I first wanted to write a ICMP-Tunneling-Rule, but it did not know how, because it is impossible to say: "All packets with payload that does NOT include THIS ale ICMP-Tunnelings". So i wrote this Snort Preprocessor Pluging:
> 
> <spp_icmp_tunnel.h>
> #include "snort.h"
> 
> #ifndef __SPP_ICMP_TUNNEL_H__
> #define __SPP_ICMP_TUNNEL_H__
> 
> void SetupIcmpTunnel();
> void IcmpTunnelInit(u_char *);
> void IcmpTunnelPreprocFunction(Packet *);
> 
> #endif  /* __SPP_ICMP_TUNNEL_H__ */
> 
> <spp_icmp_tunnel.h>
> 
> #define MODNAME "spp_icmp_tunnel"
> 
> #include "spp_icmp_tunnel.h"
> 
> void SetupIcmpTunnel(void)
> {
>         RegisterPreprocessor("icmptunnel", IcmpTunnelInit);
> }
> 
> void IcmpTunnelInit(u_char *args)
> {
>         AddFuncToPreprocList(IcmpTunnelPreprocFunction);
> }
> 
> void IcmpTunnelPreprocFunction(Packet *p)
> {
>         if(!(p->iph && p->iph->ip_proto == IPPROTO_ICMP && (p->icmph->type == ICMP_ECHOREPLY || p->icmph->type == ICMP_ECHO)))
>         {
>                 return;
>         }
> 
>         p->data += 23;
> 
>         if (strncmp(p->data, "!\"#$%&'()*+,-./01234567\0", 23) != 0)
>                 printf ("ICMP-Tunneling Alert\n");
> }
> 
> If there is a way to write a rule instead of this spp, please tell me how! If it's impossible, can't someone make it possible ?
> --
> Thomas Walpuski
> 
> OpenBSD - Free, Functional, Secure
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list