[Snort-users] What wins? TCP headers or packet contents?

Chris Green cmg at ...1935...
Thu Sep 12 21:23:05 EDT 2002


John Sage <jsage at ...2022...> writes:

> Let me bring the question up to the top:
>
>> So the question for the snort list is:
>
>> What wins:
>
>> TCP header stuff: i.e. the destination port,
>
>> or,
>
>> Packet contents stuff: i.e. a hex series within the payload of a
>> packet, but with no match on destination port?
>
> <snip>
>
>
> Executive summary:
>
> Twice (once real-time, once on replay against a binary log file) I
> have packets matching an rpc.rules by content (a hex sequence) but not
> by the destination port stated in the rule.


Let's chop up this mail a bit. There's no notion of what wins because
it's a logical AND of the portions in the rule header and in the rule
options list.

The rule:

"Check TCP traffic from $EXTERNAL_NET with any source port to HOME_NET
port 32770 or above and look for Foo flags with a content of
OOOOOOOOOOOOOO02010186A1 starting 5 bytes into the packet"

> rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
> rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
> A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
> sid:1278;  rev:3;)
> <snip>

The alert & packet:

> [**] [1:1278:3] RPC rstatd query [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 09/08/02-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
> TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1557233190 427655814 
> [Xref => http://www.whitehats.com/info/IDS9]
> <snip>
>
> which is this packet, by timestamp, and which I am certain is a
> portion of a gzipped file:
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
> TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1557233190 427655814 
> 0x0000: 45 00 05 DC FA ED 40 00 31 06 4A BA 3F 64 2F 2D  E..... at ...6865...?d/-
> 0x0010: 0C 52 83 91 00 50 F8 0A E9 A9 91 72 E9 92 6F EA  .R...P.....r..o.
> 0x0020: 80 10 19 20 DD C3 00 00 01 01 08 0A 5C D1 7E 26  ... ........\.~&
> 0x0030: 19 7D 82 86 
>
>                     5F 46 36 63 49 66 61 57 3A 68 32 61  .}.._F6cIfaW:h2a
> 0x0040: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 41 36  F|c7mHcIf2_.i at ...6866...
> 0x0050: 75 3A 49 68 5F 46 36 63 49 66 61 57 3A 68 32 61  u:Ih_F6cIfaW:h2a
> 0x0060: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 48 7D  F|c7mHcIf2_.i at ...2576...}
> 0x0070: 38 6A 79 38 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D  8jy8YjV(.Bzu::dm
> 0x0080: 49 68 64 3B 20 57 53 53 5F 47 57 3D 56 31 41 6C  Ihd; WSS_GW=V1Al
> 0x0090: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
> 0x00A0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
> 0x00B0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
> 0x00C0: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
> 0x00D0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
> 0x00E0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
> 0x00F0: 51 41 6C 51 7A 25 72 42 51 25 5E 25 72 40 69 3B  QAlQz%rBQ%^%r at ...899...;
> 0x0100: 20 43 54 47 3D 31 30 32 35 31 39 31 39 31 39 0D   CTG=1025191919.
> 0x0110: 0A 0D 47 3D 1B 3D 58 0D 02 00 9A 05 00 00 9A 05  ..G=.=X.........
> 0x0120: 00 00 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00  .......3....&...
> 0x0130: 45 00 05 8C EB 04 40 00 73 06 FC 52 CC 11 72 09  E..... at ...6867...
> 0x0140: 2E 05 B4 FA 00 50 F9 C1 B3 D2 78 9D 00 01 65 80  .....P....x...e.
> 0x0150: 50 10 40 B0 46 75 00 00 86 A2 00 00 00 02 00 00  P. at ...6868...
> 0x0160: 00 00 00 00 00 01 00 00 00 96 00 00 00 00 00 00  ................
> 0x0170: 00 96 00 00 00 40 00 00 00 00 00 00 00 00 00 00  ..... at ...4535...
> 0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 0x0190: 00 00 00 00 00 00 00 00 00 00 02 00 01 86 A1 00  ................
>                  ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^
                   This was atleast 5 bytes into the stream :)

> <snip>
>
> The offset seems different, but only because we have IP and TCP
> headers, above.


-- 
Chris Green <cmg at ...1935...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-users mailing list