[Snort-users] More fun with IP Option lrsse

Todd Wease twease at ...1935...
Mon Jul 9 12:25:50 EDT 2007


Jeffrey Denton wrote:
> Snort_test.conf:
> 
> var HOME_NET any
> var EXTERNAL_NET any
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble
> output alert_syslog: LOG_AUTH LOG_ALERT
> include /etc/snort/classification.config
> include /etc/snort/reference.config
> # Rules from misc.rules file
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lsrr"; ipopt
> s:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0510;
>  reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulle
> tin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:7;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route
> lsrre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646;
> reference:cve,1999-0909;
> reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx;
> clas
> stype:bad-unknown; sid:501; rev:7;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route
> ssrr"; ipopts:ssrr ; reference:cve,1999-0510; classtype:bad-unknown;
> sid:502; rev:4;)
> 
> The tool sendip needs a hostname.
> /etc/hosts:
> 192.168.1.2    storage
> 
> # snort -c /etc/snort/snort_test.conf -i eth0
> 
> Sid:500 and sid:501 triggered when the following command is run:
> # sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -iolsr 04:192.168.1.1
> -ioeol -p tcp -ts 1025 -td 21 storage
> 
> Sid:502 triggered when the following command is run:
> # sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -iossr 04:192.168.1.1
> -ioeol -p tcp -ts 1025 -td 21 storage
> 
> I was unable to get sid:501 to trigger with the following command:
> # sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -ionum 84 -ionop
> -ioeol -p tcp -ts 1025 -td 21 storage
> 
> http://www.cochiselinux.org/files/lsrr.pcap
> This file contains four packets with the IP option for lsrr.  Sid:500
> and sid:501 are triggered when the following command is run:
> # snort -c snort_test.conf -r lsrr.pcap
> 
> http://www.cochiselinux.org/files/lsrre.pcap
> I used netdude to change the IP option value from 131 (0x83) to 132
> (0x84).  I was unable to get sid:501 to trigger with the following
> command:
> # snort -c snort_test.conf -r lsrre.pcap
> 

Thanks for pointing this out Jeffrey.  The problem is in the parsing
code in detection-plugins/sp_ipoption_check.c line 163:

    else if(!strncasecmp(data, "lsrr", 4))
    {
        ds_ptr->ip_option = IPOPT_LSRR;
        return;
    }
    else if(!strncasecmp(data, "lsrre", 5))
    {
        ds_ptr->ip_option = IPOPT_LSRR_E;
        return;
    }


'lsrre' was matching at the first condition.  Not sure yet what release
the fix will go in, but in the meantime the attached patch can be used.

Thanks
Todd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lsrre.diff
Type: text/x-patch
Size: 994 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20070709/0de5874d/attachment.bin>


More information about the Snort-users mailing list