[Snort-users] Rules that fire on bad checksums?

Will Metcalf william.metcalf at ...11827...
Wed Sep 8 11:08:05 EDT 2004


This is a diff for something we are doing with snort_inline to log
this stuff.  Actually this is a diff against snort-2.3 ;-).  Won't
apply cleanly so you will have to modify it yourself.  But it should
give you some idea how to get it done.

--- snort-2.3/src/decode.c	2004-09-08 19:47:53.000000000 +0200
+++ snort-2.3.checksums/src/decode.c	2004-09-08 19:39:21.000000000 +0200
@@ -1837,6 +1837,7 @@
     u_int32_t ip_len; /* length from the start of the ip hdr to the pkt end */
     u_int32_t hlen;   /* ip header length */
     u_int16_t csum;   /* checksum */
+    Event event;      /* for checksum alerts */
 
     /* lay the IP struct over the raw data */
     p->iph = (IPHdr *) pkt;
@@ -1982,6 +1983,19 @@
         {
             p->csum_flags |= CSE_IP;
             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n"););
+ 
+            if(InlineMode())
+            {
+
+                SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_IP_CHKSUM,
+		         1, DECODE_CLASS, 3, 0);
+		CallAlertFuncs(p, DECODE_BAD_IP_CHKSUM_STR, NULL, &event);
+
+
+                DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping
packet with Bad IP checksum\n"););
+                InlineDrop();
+            }
+
         }
 #ifdef DEBUG
         else
@@ -2240,6 +2254,7 @@
     u_int32_t hlen;            /* TCP header length */
     u_short csum;              /* checksum */
     struct pseudoheader ph;    /* pseudo header declaration */
+    Event event;               /* event for checksum alerts */
 
     if(len < 20)
     {
@@ -2350,6 +2365,18 @@
             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n",
                                     "0x%x versus 0x%x\n", csum,
                                     ntohs(p->tcph->th_sum)););
+            if(InlineMode())
+            {     
+
+                SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_TCP_CHKSUM,
+		         1, DECODE_CLASS, 3, 0);
+		CallAlertFuncs(p, DECODE_BAD_TCP_CHKSUM_STR, NULL, &event);
+
+
+                DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping
packet with Bad TCP checksum\n"););
+                InlineDrop();
+            }
+
         }
         else
         {
@@ -2417,6 +2444,7 @@
     u_short csum;
     u_int16_t uhlen;
     struct pseudoheader ph;
+    Event event; /* for checksum alerts */
 
     if(len < sizeof(UDPHdr))
     {
@@ -2523,6 +2551,19 @@
         {
             p->csum_flags |= CSE_UDP;
             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n"););
+
+            if(InlineMode())
+            {     
+
+                SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_UDP_CHKSUM,
+		         1, DECODE_CLASS, 3, 0);
+		CallAlertFuncs(p, DECODE_BAD_UDP_CHKSUM_STR, NULL, &event);
+
+
+                DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping
packet with Bad UDP checksum\n"););
+                InlineDrop();
+            }
+
         }
         else
         {
@@ -2561,6 +2602,7 @@
 {
     u_int16_t csum;
     u_int16_t orig_p_caplen;
+    Event event; /* for checksum alerts */
 
     if(len < ICMP_HEADER_LEN)
     {
@@ -2692,6 +2734,19 @@
             p->csum_flags |= CSE_ICMP;
 
             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n"););
+ 
+            if(InlineMode())
+            {     
+
+                SetEvent(&event, GENERATOR_SNORT_DECODE,
DECODE_BAD_ICMP_CHKSUM,
+		         1, DECODE_CLASS, 3, 0);
+		CallAlertFuncs(p, DECODE_BAD_ICMP_CHKSUM_STR, NULL, &event);
+
+
+                DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Dropping
packet with Bad ICMP checksum\n"););
+                InlineDrop();
+            }
+
         }
         else
         {
--- snort-2.3/src/generators.h	2004-09-08 19:47:53.000000000 +0200
+++ snort-2.3.checksums/src/generators.h	2004-09-08 17:05:48.000000000 +0200
@@ -164,6 +164,11 @@
 #define     DECODE_BAD_TR_MR_LEN                  142
 #define     DECODE_BAD_TRHMR                      143
 
+#define     DECODE_BAD_IP_CHKSUM                  150
+#define     DECODE_BAD_TCP_CHKSUM                 151
+#define     DECODE_BAD_UDP_CHKSUM                 152
+#define     DECODE_BAD_ICMP_CHKSUM                153
+
 #define GENERATOR_SPP_SCAN2         117
 #define     SCAN_TYPE                             1
 
@@ -348,6 +353,12 @@
 #define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token
Ring MRLENHeader!"
 #define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring
MR Header!"
 
+#define DECODE_BAD_IP_CHKSUM_STR "(snort_decoder) WARNING: Bad IP Checksum!"
+#define DECODE_BAD_TCP_CHKSUM_STR "(snort_decoder) WARNING: Bad TCP Checksum!"
+#define DECODE_BAD_UDP_CHKSUM_STR "(snort_decoder) WARNING: Bad UDP Checksum!"
+#define DECODE_BAD_ICMP_CHKSUM_STR "(snort_decoder) WARNING: Bad ICMP
Checksum!"
+
+
 
 #define SCAN2_PREFIX_STR "(spp_portscan2) Portscan detected from "
 




On Wed, 08 Sep 2004 13:47:32 -0400, Chris Green <cmg at ...671...> wrote:
> Martin Roesch <roesch at ...1935...> writes:
> 
> > You'd need to write a detection plugin that checks the status of the
> > checksum flags in the packet struct.   Something like:
> >
> >
> > All you need to do is write the badcksum plugin and you'll be all
> > set. :)
> 
> It might be a bit more invasive than that b/c if it checks checksums
> at all, it skips the rule engine entirely.
> 
> You'll have to add something that makes all the other rules validate
> the checksum by default and then have your badchecksum plugin.  Dunno
> how much things have changed but I doubt anyone has tackled that stuff
> lately :)
> 
> The quickest route for doing that would probably be a preprocessor
> that alerted on bad checksums.
> 
> Cheers,
> Chris
> --
> Chris Green <cmg at ...1121...>
> Warning: time of day goes back, taking countermeasures.
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list