[Snort-users] Snort-users Digest, Vol 104, Issue 51

Jutichai Thongkrachai thsecmaniac at ...11827...
Tue Jan 27 22:12:41 EST 2015


To Joel and Al,

Here the traffic in pcap format. I attached it into this mail. Please use
"ip.addr==10.4.1.1" to filter the traffic that I have a question.

As Al said in the last mail, So, It's normal for Snort to detect PIM as
BAD-TRAFFIC...?



> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: "Al Lewis (allewi)" <allewi at ...589...>
> To: Jutichai Thongkrachai <thsecmaniac at ...11827...>
> Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Date: Tue, 27 Jan 2015 14:02:33 +0000
> Subject: Re: [Snort-users] Cisco Proprietary Protocol and Snort
>
> From what I can see the PIM protocol will trigger these decoder alerts
> anytime that traffic is seen (along with several others). The case match we
> are interested in is the “IPPROTO_PIM”.
>
>
>
> If you look in the source code of decode.c you will see:
>
>
>
> 2244         case IPPROTO_SWIPE:
>
> 2245         case IPPROTO_IP_MOBILITY:
>
> 2246         case IPPROTO_SUN_ND:
>
> 2247         case IPPROTO_PIM:
>
> 2248             if ( Event_Enabled(DECODE_IP_BAD_PROTO) )
>
> 2249                 DecoderEvent(p, EVARGS(IP_BAD_PROTO), 1, 1);
>
>
>
>
>
> Under this function:
>
>
>
> //--------------------------------------------------------------------
>
> // decode.c::IP4 decoder
>
> //--------------------------------------------------------------------
>
>
>
> /* Function: DecodeIPv4Proto
>
> *
>
> * Gernalized IPv4 next protocol decoder dispatching.
>
> *
>
> * Arguments: proto => IPPROTO value of the next protocol
>
> *            pkt => ptr to the packet data
>
> *            len => length from here to the end of the packet
>
> *            p   => pointer to the packet decode struct
>
> *
>
> */
>
> static inline void DecodeIPv4Proto(const uint8_t proto,
>
>     const uint8_t *pkt, const uint32_t len, Packet *p)
>
> {
>
>
>
>
>
>
>
> I tested this with generic PIM traffic and it alerts on any PIM packets
> seen which is expected behavior.
>
>
>
>
>
> root at ...17075...:/var/tmp/snort-2.9.7.0-released# ./bin/snort -c
> etc/pim.conf -r /home/alewis/Downloads/pim.pcap -Acmg -k none -q
>
> 09/30-05:32:56.889022  [**] [116:450:1] (snort_decoder) WARNING:
> BAD-TRAFFIC Bad IP protocol [**] [Classification: Detection of a
> non-standard protocol or event] [Priority: 2] {PIM} 192.168.0.6 ->
> 192.168.1.254
>
> 09/30-05:32:56.889022 CC:06:06:1C:F0:01 -> CC:05:06:1C:F0:00 type:0x800
> len:0x8E
>
> 192.168.0.6 -> 192.168.1.254 PIM TTL:255 TOS:0x0 ID:350 IpLen:20 DgmLen:128
>
> 21 00 DE FF 00 00 00 00 45 00 00 64 00 0F 00 00  !.......E..d....
>
> FE 01 F6 D2 C0 A8 14 0A EF 01 02 03 08 00 90 E1  ................
>
> 00 03 00 00 00 00 00 00 00 05 ED 60 AB CD AB CD  ...........`....
>
> AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
>
> AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
>
> AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD  ................
>
> AB CD AB CD AB CD AB CD AB CD AB CD              ............
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
>
>
> 09/30-05:32:57.054022  [**] [116:450:1] (snort_decoder) WARNING:
> BAD-TRAFFIC Bad IP protocol [**] [Classification: Detection of a
> non-standard protocol or event] [Priority: 2] {PIM} 192.168.1.254 ->
> 192.168.0.6
>
> 09/30-05:32:57.054022 CC:05:06:1C:F0:00 -> CC:06:06:1C:F0:01 type:0x800
> len:0x3C
>
> 192.168.1.254 -> 192.168.0.6 PIM TTL:255 TOS:0xC0 ID:642 IpLen:20 DgmLen:38
>
> 22 00 16 28 01 00 00 20 EF 01 02 03 01 00 C0 A8  "..(... ........
>
> 14 0A                                            ..
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
>
>
>
>
>
>
> Hope this helps.
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* Joel Esler (jesler)
> *Sent:* Tuesday, January 27, 2015 6:57 AM
> *To:* Jutichai Thongkrachai
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Cisco Proprietary Protocol and Snort
>
>
>
> We need an actual packet capture of the traffic.
>
> --
>
> *Joel Esler*
>
> Sent from my iPhone
>
>
> On Jan 27, 2015, at 6:36 AM, Jutichai Thongkrachai <thsecmaniac at ...14459.....>
> wrote:
>
>   Here you are.
>
> >From Snorby:
>
> http://i57.tinypic.com/egr4ms.png
>
>
>
>  >From Wireshark:
>
> http://i57.tinypic.com/21vnt.png
>
>
>
>
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: "Al Lewis (allewi)" <allewi at ...589...>
> To: Jutichai Thongkrachai <thsecmaniac at ...11827...>, "
> snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
> Cc:
> Date: Tue, 27 Jan 2015 11:05:12 +0000
> Subject: Re: [Snort-users] Cisco Proprietary Protocol and Snort
>
> Can you provide a sample of the traffic?
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* Jutichai Thongkrachai [mailto:thsecmaniac at ...11827...]
> *Sent:* Monday, January 26, 2015 11:46 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Cisco Proprietary Protocol and Snort
>
>
>
> Hello,
>
> My Snort keep telling me that it detect "snort_decoder: WARNING:
> BAD-TRAFFIC Bad IP protocol" (Sid:450,Gid:116) hourly which come from my
> Cisco Switch send Multicast Packet to the Network with its proprietary PIM
> protocol (sparse-dense-mode).
>
> I'm curious that my Snort cannot decode Cisco PIM Protocol. So,it detect
> as
> "WARNING: BAD-TRAFFIC Bad IP protocol" Is it possible?
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>
>  _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150128/9c680fcb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.u2.1421728598.pcap
Type: application/octet-stream
Size: 49990 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150128/9c680fcb/attachment.obj>


More information about the Snort-users mailing list