[Snort-users] ICMP-Tunneling Preprocessor to IT-Rule

Thomas Walpuski thomas.walpuski at ...158...
Wed Jan 24 03:08:43 EST 2001


On Thu, Jan 18, 2001 at 01:49:08AM -0500, Martin Roesch wrote:
> Writing a preprocessor is the way to go if you want to detect the kind
> of activity that you describe.

I did. The files spp_icmp_tunnel.[ch] are attached. It works fine for me (if the tunneled data is more than 8 bytes or if it's badly "hidden"). Is anyone out there who want's to help testing this spp?    
-------------- next part --------------
#define MODNAME "spp_icmp_tunnel"

#include "spp_icmp_tunnel.h"

void SetupIcmpTunnel(void)
{
	RegisterPreprocessor("icmptunnel", IcmpTunnelInit);
}

void IcmpTunnelInit(u_char * args)
{
	AddFuncToPreprocList(IcmpTunnelPreprocFunction);
}

void IcmpTunnelPreprocFunction(Packet * p)
{
	if (!(p->iph && p->iph->ip_proto == IPPROTO_ICMP && (p->icmph->type == ICMP_ECHOREPLY || p->icmph->type == ICMP_ECHO))) {
		return;
	}
	
	if (p->dsize != 56)
	{
		printf("ICMP-Tunneling-Alert: Ping Data Size\n");
	}
	
	if (strncmp (p->data+8, "\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F\x30\x31\x32\x33\x34\x35\x36\x37", 48))
	{
		printf ("ICMP-Tunneling-Alert: Ping Data\n");
	}
}
-------------- next part --------------
#include "snort.h"

#ifndef __SPP_ICMP_TUNNEL_H__
#define __SPP_ICMP_TUNNEL_H__

void SetupIcmpTunnel();
void IcmpTunnelInit(u_char *);
void IcmpTunnelPreprocFunction(Packet *);

#endif	/* __SPP_ICMP_TUNNEL_H__ */


More information about the Snort-users mailing list