Snort mailing list archives
Re: [Emerging-Sigs] Detecting bad UDP Header in packet
From: Jason Williams <jwilliams () emergingthreats net>
Date: Tue, 15 Aug 2017 11:41:00 -0500
Bill, Thanks for the mail, always fun to look at things like this. First off, this pcap is kinda weird, assuming it may have been manipulated a bit for analysis, there might be some introduced issues with it that are making engines act weird. I think the core issue is that you are attempting to match on content in the IP header as well as content in the Data portion of the packet, which is udp. By using the udp protocol in your rule, you are effectively saying " ip[9]=0x11". A rule that fires for me in snort looks like the below: alert udp any any -> any any (msg:"mailing list"; content:"2e"; depth:2; sid:5005017; rev:1;) Normally we use |2e| but this pcap seems to want this hex in an unescaped form. ? I'm not able to get the pcap to trigger anything in suricata with content matches. Odd stuff, but hopefully this gets you a little bit further down the road. On Tue, Aug 15, 2017 at 10:34 AM, BILL LARIVIERE <Bill.LaRiviere () regions com
wrote:
All, We have had some unique packets find their way to our network. The IP header looks to be intact and was routed normally. While looking at the packets in tcpdump and wireshark, an anomaly was detected. It appears that at IP offset 9, the protocol is identified as UDP (offset9=0x11). And when you look at IP offset 20 (UDP header offset 0) you see 0x2e. This of course should be part of the source UDP port, not a period. When I look at the pcap in Wireshark, there is not a “UDP Datagram” that starts at IP offset 20, rather “Data” starts there. I believe this to be caused by an invalid port number in the “UDP Datagram” portion of the IP Header. When I run tcpdump on the pcap file with ip[9]=0x11 and ip[20]=0x2e the packets in questions are identified. My question for the group is with snort/suricata. I have attempted to run snort with the snort rule alert ip … content:”|2e|”; depth:4; offset:0…. With no success. My understanding of offset is it uses the payload as the reference point to start inspection. With that in mind, the payload to me would be “Data” portion of the IP packet. This offset did not fire an alert. I have played with all kinds of offset and depth settings searching for the portion of the packet where the period has been used for the port. To no avail. What am I missing? Pcap file attached with 2 packets that I am wanting to alert on. Thanks, Bill LaRiviere GCIA _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Detecting bad UDP Header in packet BILL LARIVIERE via Snort-sigs (Aug 15)
- Re: Detecting bad UDP Header in packet Y M via Snort-sigs (Aug 15)
- Re: Detecting bad UDP Header in packet Al Lewis (allewi) via Snort-sigs (Aug 15)
- Re: [Emerging-Sigs] Detecting bad UDP Header in packet Jason Williams (Aug 19)