Snort mailing list archives
Re: non-standard ping messages
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 21 Jan 2014 15:56:50 -0700
On 2014-01-21 15:03, Jefferson, Shawn wrote:
With the recent revelations of the Target breach, I was wondering if there is an existing rule that watches for non-standard ping messages crossing the network? That was one of the indicators in this incident and that seems like something useful to look for anyway, so maybe there is already a rule either in VRT or ET the ruleset. Does anyone know of an existing rule? Thanks! Shawn
Here's what I've been working with: alert icmp any any -> any any (msg:"Unusual L3retriever Ping detected"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; dsize:>32; classtype:trojan-activity; sid:10000116; rev:1;) alert icmp any any -> any any (msg:"Unusual Microsoft Windows Ping detected"; icode:0; itype:8; content:"0123456789abcdefghijklmnopqrstuv"; depth:32; dsize:>32; classtype:trojan-activity; sid:10000117; rev:1;) alert icmp any any -> any any (msg:"Unusual Microsoft Windows 7 Ping detected"; icode:0; itype:8; content:"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; dsize:>32; classtype:trojan-activity; sid:10000118; rev:1;) alert icmp any any -> any any (msg:"Unusual PING detected"; icode:0; itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; content:!"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; classtype:trojan-activity; sid:10000119; rev:4;) My fear was that a bad guy would slip in extra data with known pings, so the first three match on content and size over 32 bytes. The last one will catch any pings that DON'T match anything standard. I'd capture ICMP for a bit and see what's "normal" on your network, then craft around that. James ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- non-standard ping messages Jefferson, Shawn (Jan 21)
- Re: non-standard ping messages James Lay (Jan 21)