[Snort-users] Detecting tunnels?

Mark Horn mark-dated-1021065915.742a17 at ...5782...
Sun May 5 21:48:02 EDT 2002


On Fri, May 03, 2002 at 03:50:13PM -0400, Chris Green wrote:
>There's no really good functionality to add this level of application
>level time delay finger printing.  Providing the correct hooks for
>this will be an interesting challenge.  We could use the prexisting
>tag type structure or perhaps we could have a per IP pair
>"metasession" tracker that is applied to every session.  This IP<->IP
>tracker would contain information regarding singatures that the
>session has already set off.
>
>Hrm. Food for thought.
>
>Are there any other unique aspects of GNU http tunnel? 

Well this isn't specific to GNU httptunnel, but the thing that scares me
about it is the ability to tunnel SSH on top of it.  And then, from there,
setup port forwarding from the outside, right past the firewalls, back to
the inside.  And if someone is really bold, they might run a PPP over SSH
VPN which would allow *anyone* on the internet unfettered access to the
internal network.

So what I'm trying to do is detect this kind of thing.  One way to do this
would be to look at the contents of the HTTP GET that comes back.  If it's
an SSH protocol ID (instead of HTML) that would indicate someone tunnelling
SSH over HTTP.  Which is the thing that I'm really scared of.  Below is the
output from 'snort -vd tcp port 1111' for what the HTTP GET looks like.
I have sanitized this somewhat and cut out only the interesting packets.

The first packet is the HTTP GET, the second packet is the HTTP POST.
The Third packet are responses to the GET, and the last packet is what
the POST sends back.  You can see the SSH protocol negotiation.

Certainly if there would be a way to write a rule that would say, when
you see an HTTP GET and the response is 'SSH-blah-blah', then alert that as a
tunnel attempt.  That would work for what I'm trying to do, also.

Alternatively, if you see a HTTP POST and then later on in that same
stream you see 'SSH-blah-blah' then you know also, that this is SSH
encapsulated w/in HTTP.

Thanks for the help.
- Mark


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/03-11:16:16.473594 yyy.yyy.yyy.yyy:47273 -> xxx.xxx.xxx.xxx:1111
TCP TTL:56 TOS:0x0 ID:25153 IpLen:20 DgmLen:258 DF
***AP*** Seq: 0xDB2202CE  Ack: 0x6DF5F663  Win: 0xFAF0  TcpLen: 20
47 45 54 20 2F 69 6E 64 65 78 2E 68 74 6D 6C 20  GET /index.html 
48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20  HTTP/1.0..Host: 
61 75 64 6C 69 6E 2E 64 6E 73 61 6C 69 61 73 2E  XXXXXX.xxxxxxxx.
6F 72 67 3A 38 38 38 38 0D 0A 43 6C 69 65 6E 74  org:1111..Client
2D 69 70 3A 20 31 37 31 2E 31 36 33 2E 31 33 33  -ip: zzz.zzz.zzz
2E 31 38 32 0D 0A 56 69 61 3A 20 48 54 54 50 2F  .zzz..Via: HTTP/
31 2E 31 20 63 6C 74 63 61 63 68 65 32 5B 41 42  1.1 wwwwwwwww[XX
41 33 30 31 33 39 5D 20 28 54 72 61 66 66 69 63  XXXXXX] (xxxxxxx
2D 53 65 72 76 65 72 2F 34 2E 30 2E 39 20 5B 75  -xxxxxx/xxxxx [x
53 63 4D 5D 29 2C 20 48 54 54 50 2F 31 2E 31 20  xxx]), HTTP/1.1 
73 70 78 79 63 6C 74 31 5B 41 42 42 36 45 46 39  wwwwwwww[XXXXXXX
43 5D 20 28 54 72 61 66 66 69 63 2D 53 65 72 76  X] (xxxxxxx-xxxx
65 72 2F 34 2E 30 2E 39 2D 31 31 36 34 31 20 5B  xx/xxxxx=xxxxx [
75 53 63 4D 5D 29 0D 0A 0D 0A                    xxxx])....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/03-11:16:16.487128 yyy.yyy.yyy.yyy:47272 -> xxx.xxx.xxx.xxx:1111
TCP TTL:56 TOS:0x0 ID:25154 IpLen:20 DgmLen:283 DF
***AP*** Seq: 0xDB1A26B2  Ack: 0x6DD64072  Win: 0xFAF0  TcpLen: 20
50 4F 53 54 20 2F 69 6E 64 65 78 2E 68 74 6D 6C  POST /index.html
20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A   HTTP/1.0..Host:
20 61 75 64 6C 69 6E 2E 64 6E 73 61 6C 69 61 73   XXXXXX.xxxxxxxx
2E 6F 72 67 3A 38 38 38 38 0D 0A 43 6F 6E 74 65  .org:1111..Conte
6E 74 2D 4C 65 6E 67 74 68 3A 20 31 30 32 34 30  nt-Length: 10240
30 0D 0A 43 6C 69 65 6E 74 2D 69 70 3A 20 31 37  0..Client-ip: zz
31 2E 31 36 33 2E 31 33 33 2E 31 38 32 0D 0A 56  z.zzz.zzz.zzz..V
69 61 3A 20 48 54 54 50 2F 31 2E 31 20 63 6C 74  ia: HTTP/1.1 xxx
63 61 63 68 65 32 5B 41 42 41 33 30 31 33 39 5D  xxxxxx[XXXXXXXX]
20 28 54 72 61 66 66 69 63 2D 53 65 72 76 65 72   (xxxxxxx-xxxxxx
2F 34 2E 30 2E 39 20 5B 75 53 63 4D 5D 29 2C 20  /xxxxx [xxxx]), 
48 54 54 50 2F 31 2E 31 20 73 70 78 79 63 6C 74  HTTP/1.1 xxxxxxx
31 5B 41 42 42 36 45 46 39 43 5D 20 28 54 72 61  x[XXXXXXXX] (xxx
66 66 69 63 2D 53 65 72 76 65 72 2F 34 2E 30 2E  xxxx-xxxxxx/xxxx
39 2D 31 31 36 34 31 20 5B 75 53 63 4D 5D 29 0D  x-xxxxx [xxxx]).
0A 0D 0A                                         ...

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/03-11:16:16.498727 xxx.xxx.xxx.xxx:1111 -> yyy.yyy.yyy.yyy:47273
TCP TTL:64 TOS:0x10 ID:28322 IpLen:20 DgmLen:209 DF
***AP*** Seq: 0x6DF5F663  Ack: 0xDB2203A8  Win: 0x1920  TcpLen: 20
48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D  HTTP/1.1 200 OK.
0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A  .Content-Length:
20 31 30 32 34 30 30 0D 0A 43 6F 6E 6E 65 63 74   102400..Connect
69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 50 72 61 67  ion: close..Prag
6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 43 61  ma: no-cache..Ca
63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D  che-Control: no-
63 61 63 68 65 2C 20 6E 6F 2D 73 74 6F 72 65 2C  cache, no-store,
20 6D 75 73 74 2D 72 65 76 61 6C 69 64 61 74 65   must-revalidate
0D 0A 45 78 70 69 72 65 73 3A 20 30 0D 0A 43 6F  ..Expires: 0..Co
6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74  ntent-Type: text
2F 68 74 6D 6C 0D 0A 0D 0A                       /html....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/03-11:16:16.554359 xxx.xxx.xxx.xxx:1111 -> yyy.yyy.yyy.yyy:47273
TCP TTL:64 TOS:0x10 ID:28324 IpLen:20 DgmLen:85 DF
***AP*** Seq: 0x6DF5F70D  Ack: 0xDB2203A8  Win: 0x1920  TcpLen: 20
00 2B 53 53 48 2D 32 2E 30 2D 4F 70 65 6E 53 53  .+SSH-2.0-OpenSS
48 5F 33 2E 30 2E 32 70 31 20 44 65 62 69 61 6E  H_3.0.2p1 Debian
20 31 3A 33 2E 30 2E 32 70 31 2D 39 0A            1:3.0.2p1-9.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/03-11:16:16.806983 yyy.yyy.yyy.yyy:47272 -> xxx.xxx.xxx.xxx:1111
TCP TTL:56 TOS:0x0 ID:25158 IpLen:20 DgmLen:70 DF
***AP*** Seq: 0xDB1A27A9  Ack: 0x6DD64072  Win: 0xFAF0  TcpLen: 20
02 00 1B 53 53 48 2D 32 2E 30 2D 50 75 54 54 59  ...SSH-2.0-PuTTY
2D 52 65 6C 65 61 73 65 2D 30 2E 35 32 0A        -Release-0.52.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




More information about the Snort-users mailing list