Snort mailing list archives
[PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol
From: Joshua Kinard <kumba () gentoo org>
Date: Sun, 13 Nov 2011 16:37:57 -0500
Hi snort-devel, I decided to play around some more in src/decode.c, and got to thinking, with all of these additional Decode* functions that don't seem to see a lot of use, why not provide some baseline support to at least scan some of the protocols? End result is I didn't fiddle with too much in decoder.c, but wound up adding a new rule protocol, "eth", and a new rule option, "ether_type". The purpose is to open up Snort to detecting things other than IP-based traffic by leveraging the existing capabilities of the fast-pattern matcher and detection engine. I also corrected a minor bug that I found, fixed up some comments, and converted a few if-elseif-else blocks to switch statements. I can pass along stand-alone patches for those if needed. EXAMPLES: Rule with content, IPX over VLAN/EthII alert eth any any -> any any (msg:"VLAN IPX, FTWOOD then COLORLAB"; ether_type:ipx; content:"FTWOOD"; content:"COLORLAB"; distance:10; sid:43000006; rev:1; priority:1; classtype:bad-unknown; ) PCAP: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=vlan.cap.gz Rule with content, DECnet: alert eth any any -> any any (msg:"DECNET"; ether_type:decnet; content:"TYSON"; sid:43000007; rev:1; priority:1; classtype:bad-unknown; ) PCAP: http://packetlife.net/captures/DECnet_Phone.pcap.cap DOCUMENTATION: The principle behind these rule types mimics ip any-any and ip_proto-only rules for the most part, though I added a few hooks to completely avoid the IP-layer of code if we detect a raw ethernet II frame. I don't *think* it impacts performance that much, but I'll be honest, I only have a bunch of assorted PCAPs to test with. Aside from a NetWare 6.5 install in a virtual machine, I don't have much equipment on-hand to generate obscure packets, or enterprise stuff like FibreChannel over Ethernet. Treat ether_type like ip_proto in a sense. There's no src/dst address or ports for it (theoretically, one could use MAC addresses as src/dst, but that would require a LOT of code overhauling). One shouldn't need too many eth rules in a ruleset, so performance impact should be minimal. The patch does NOT update the manual for these options. If someone could give me a list of the tools/packages needed to build TeX into PDF, that'd be great. Making blind updates to it is getting trickier these days. Quick documentation for ether_type: ether_type:[op]<type> | <hex_value>; Where [op] is either '!', '<', or '>'. Where <hex_value> is a 16-bit, unsigned integer in the format of 0xABCD (decimal accepted if you want). Values smaller than 0x600 or larger than 0xffff are not accepted. OR Where <type> is one of the following named values: xerox (0x0600) - Xerox NS IDP ipv4 (0x0800) - IP version 4 x75 (0x0801) - X.75 Internet nbs (0x0802) - NBS Internet ecma (0x0803) - ECMA Internet chaos (0x0804) - CHAOSNet x25 (0x0805) - X.25 Level 3 arp (0x0806) - Address Resolution Protocol rarp (0x0835) - Reverse ARP wol (0x0842) - Wake On LAN ax25 (0x08ff) - AX.25 over Ethernet (G8BPQ) decnet (0x6003) - DECnet DNA apple (0x809b) - Appletalk aarp (0x80f3) - Appletalk ARP vlan (0x8100) - VLAN Tagged 802.1q netbeui (0x8191) - NetBEUI ipx (0x8137) - Novell IPX/SPX snmp (0x814c) - SNMP over Ethernet ipv6 (0x86dd) - IP version 6 slow (0x8809) - Slow Protocols ppp (0x880b) - Point-to-Point Protocol mpls (0x8847) - MPLS Unicast pppoed (0x8863) - PPP over Ethernet Discovery pppoes (0x8864) - PPP over Ethernet Session eapol (0x888e) - EAPOL (EAP over LAN), IEEE 802.1x aoe (0x88a2) - ATA over Ethernet lldp (0x88cc) - Logical Link Discovery Protocol fcoe (0x8906) - FibreChannel over Ethernet fip (0x8914) - FCoE Initialization Protocol tte (0x891d) - TTEthernet loop (0x9000) - Loopback IMPLEMENTATION NOTES: Standard Ethernet II frames: Works. Not much explanation needed. You can specify "ipv4", "ipv6", or "vlan" if you really want to, but it doesn't make a whole lot of sense. VLAN-Tagged frames: Works by falling through to check the VLAN ethertype, ignoring the Eth_II frame version by virtue of being called via DecodeVlan(). MPLS Frames: SHOULD work IF there is NO PW Control Word section. There is a bug in Snort whereby it does NOT handle PWMCW (RFC 4385) frames correctly, which creates a 4-byte misalignment because the mpls label pointer is not incremented properly in this case. Good thing is, the error checks in DecodeIP() catch and ignore such a frame. But this probably needs fixing. I don't know enough about MPLS to properly fix it. GRE encapsulation: Should work, lightly tested. It's hard to find non-encrypted (non-IPSEC) GRE packet captures out there with non-IP layer 3 protocols. Transbridging Eth II: Should work, but untested. Per the comments in src/decode.c, it's largely the same as standard Ethernet II. Wireless: NOT WORKING. Wireless runs on top of IEEE 802.3 LLC/SNAP frames, from what I can tell. I thought those died with IPX, but it turns out, 802.3/SNAP is the newer frame format. Ethernet II is the older stuff. Hah. So you won't be able to detect non-IP protocols over Wireless right now. I have plans to take the LLC code from both DecodeVlan and the 802.11 decoder, create DecodeEthLlc() and DecodeEthSnap() to centralize that some, and then add the bits to scan non-IP protocols (like IPX over 802.3 LLC, 802.2 (SNAP), but not 802.3 Raw). Token Ring, FDDI, other odd frames: Not supported. They're not Ethernet II, mostly deprecated, so no real value gained from attempting to implement them. Though, it wouldn't be too hard to do so with this patch in place. If anyone finds any bugs, please let me know. The attached patch applies on top of snort-2.9.2-beta. Enjoy! -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
snort-2.9.2-ether_type-support.patch
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Nov 13)
- Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Nov 20)
- Re: [PATCH] Add non-IP layer 3 detection via new 'ether_type' keyword and 'eth' protocol Joshua Kinard (Dec 26)