Snort mailing list archives
Re: Detecting tunnels?
From: Mark Horn <mark-dated-1021065915.742a17 () hornclan com>
Date: Fri, 3 May 2002 17:25:14 -0400
On Fri, May 03, 2002 at 03:50:13PM -0400, Chris Green wrote:
There's no really good functionality to add this level of application level time delay finger printing. Providing the correct hooks for this will be an interesting challenge. We could use the prexisting tag type structure or perhaps we could have a per IP pair "metasession" tracker that is applied to every session. This IP<->IP tracker would contain information regarding singatures that the session has already set off. Hrm. Food for thought. Are there any other unique aspects of GNU http tunnel?
Well this isn't specific to GNU httptunnel, but the thing that scares me about it is the ability to tunnel SSH on top of it. And then, from there, setup port forwarding from the outside, right past the firewalls, back to the inside. And if someone is really bold, they might run a PPP over SSH VPN which would allow *anyone* on the internet unfettered access to the internal network. So what I'm trying to do is detect this kind of thing. One way to do this would be to look at the contents of the HTTP GET that comes back. If it's an SSH protocol ID (instead of HTML) that would indicate someone tunnelling SSH over HTTP. Which is the thing that I'm really scared of. Below is the output from 'snort -vd tcp port 1111' for what the HTTP GET looks like. I have sanitized this somewhat and cut out only the interesting packets. The first packet is the HTTP GET, the second packet is the HTTP POST. The Third packet are responses to the GET, and the last packet is what the POST sends back. You can see the SSH protocol negotiation. Certainly if there would be a way to write a rule that would say, when you see an HTTP GET and the response is 'SSH-blah-blah', then alert that as a tunnel attempt. That would work for what I'm trying to do, also. Alternatively, if you see a HTTP POST and then later on in that same stream you see 'SSH-blah-blah' then you know also, that this is SSH encapsulated w/in HTTP. Thanks for the help. - Mark =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/03-11:16:16.473594 yyy.yyy.yyy.yyy:47273 -> xxx.xxx.xxx.xxx:1111 TCP TTL:56 TOS:0x0 ID:25153 IpLen:20 DgmLen:258 DF ***AP*** Seq: 0xDB2202CE Ack: 0x6DF5F663 Win: 0xFAF0 TcpLen: 20 47 45 54 20 2F 69 6E 64 65 78 2E 68 74 6D 6C 20 GET /index.html 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 HTTP/1.0..Host: 61 75 64 6C 69 6E 2E 64 6E 73 61 6C 69 61 73 2E XXXXXX.xxxxxxxx. 6F 72 67 3A 38 38 38 38 0D 0A 43 6C 69 65 6E 74 org:1111..Client 2D 69 70 3A 20 31 37 31 2E 31 36 33 2E 31 33 33 -ip: zzz.zzz.zzz 2E 31 38 32 0D 0A 56 69 61 3A 20 48 54 54 50 2F .zzz..Via: HTTP/ 31 2E 31 20 63 6C 74 63 61 63 68 65 32 5B 41 42 1.1 wwwwwwwww[XX 41 33 30 31 33 39 5D 20 28 54 72 61 66 66 69 63 XXXXXX] (xxxxxxx 2D 53 65 72 76 65 72 2F 34 2E 30 2E 39 20 5B 75 -xxxxxx/xxxxx [x 53 63 4D 5D 29 2C 20 48 54 54 50 2F 31 2E 31 20 xxx]), HTTP/1.1 73 70 78 79 63 6C 74 31 5B 41 42 42 36 45 46 39 wwwwwwww[XXXXXXX 43 5D 20 28 54 72 61 66 66 69 63 2D 53 65 72 76 X] (xxxxxxx-xxxx 65 72 2F 34 2E 30 2E 39 2D 31 31 36 34 31 20 5B xx/xxxxx=xxxxx [ 75 53 63 4D 5D 29 0D 0A 0D 0A xxxx]).... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/03-11:16:16.487128 yyy.yyy.yyy.yyy:47272 -> xxx.xxx.xxx.xxx:1111 TCP TTL:56 TOS:0x0 ID:25154 IpLen:20 DgmLen:283 DF ***AP*** Seq: 0xDB1A26B2 Ack: 0x6DD64072 Win: 0xFAF0 TcpLen: 20 50 4F 53 54 20 2F 69 6E 64 65 78 2E 68 74 6D 6C POST /index.html 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A HTTP/1.0..Host: 20 61 75 64 6C 69 6E 2E 64 6E 73 61 6C 69 61 73 XXXXXX.xxxxxxxx 2E 6F 72 67 3A 38 38 38 38 0D 0A 43 6F 6E 74 65 .org:1111..Conte 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 30 32 34 30 nt-Length: 10240 30 0D 0A 43 6C 69 65 6E 74 2D 69 70 3A 20 31 37 0..Client-ip: zz 31 2E 31 36 33 2E 31 33 33 2E 31 38 32 0D 0A 56 z.zzz.zzz.zzz..V 69 61 3A 20 48 54 54 50 2F 31 2E 31 20 63 6C 74 ia: HTTP/1.1 xxx 63 61 63 68 65 32 5B 41 42 41 33 30 31 33 39 5D xxxxxx[XXXXXXXX] 20 28 54 72 61 66 66 69 63 2D 53 65 72 76 65 72 (xxxxxxx-xxxxxx 2F 34 2E 30 2E 39 20 5B 75 53 63 4D 5D 29 2C 20 /xxxxx [xxxx]), 48 54 54 50 2F 31 2E 31 20 73 70 78 79 63 6C 74 HTTP/1.1 xxxxxxx 31 5B 41 42 42 36 45 46 39 43 5D 20 28 54 72 61 x[XXXXXXXX] (xxx 66 66 69 63 2D 53 65 72 76 65 72 2F 34 2E 30 2E xxxx-xxxxxx/xxxx 39 2D 31 31 36 34 31 20 5B 75 53 63 4D 5D 29 0D x-xxxxx [xxxx]). 0A 0D 0A ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/03-11:16:16.498727 xxx.xxx.xxx.xxx:1111 -> yyy.yyy.yyy.yyy:47273 TCP TTL:64 TOS:0x10 ID:28322 IpLen:20 DgmLen:209 DF ***AP*** Seq: 0x6DF5F663 Ack: 0xDB2203A8 Win: 0x1920 TcpLen: 20 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length: 20 31 30 32 34 30 30 0D 0A 43 6F 6E 6E 65 63 74 102400..Connect 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 50 72 61 67 ion: close..Prag 6D 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 43 61 ma: no-cache..Ca 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D che-Control: no- 63 61 63 68 65 2C 20 6E 6F 2D 73 74 6F 72 65 2C cache, no-store, 20 6D 75 73 74 2D 72 65 76 61 6C 69 64 61 74 65 must-revalidate 0D 0A 45 78 70 69 72 65 73 3A 20 30 0D 0A 43 6F ..Expires: 0..Co 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type: text 2F 68 74 6D 6C 0D 0A 0D 0A /html.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/03-11:16:16.554359 xxx.xxx.xxx.xxx:1111 -> yyy.yyy.yyy.yyy:47273 TCP TTL:64 TOS:0x10 ID:28324 IpLen:20 DgmLen:85 DF ***AP*** Seq: 0x6DF5F70D Ack: 0xDB2203A8 Win: 0x1920 TcpLen: 20 00 2B 53 53 48 2D 32 2E 30 2D 4F 70 65 6E 53 53 .+SSH-2.0-OpenSS 48 5F 33 2E 30 2E 32 70 31 20 44 65 62 69 61 6E H_3.0.2p1 Debian 20 31 3A 33 2E 30 2E 32 70 31 2D 39 0A 1:3.0.2p1-9. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 05/03-11:16:16.806983 yyy.yyy.yyy.yyy:47272 -> xxx.xxx.xxx.xxx:1111 TCP TTL:56 TOS:0x0 ID:25158 IpLen:20 DgmLen:70 DF ***AP*** Seq: 0xDB1A27A9 Ack: 0x6DD64072 Win: 0xFAF0 TcpLen: 20 02 00 1B 53 53 48 2D 32 2E 30 2D 50 75 54 54 59 ...SSH-2.0-PuTTY 2D 52 65 6C 65 61 73 65 2D 30 2E 35 32 0A -Release-0.52. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting tunnels? Mark Horn (May 03)
- Re: Detecting tunnels? Chris Green (May 03)
- Re: Detecting tunnels? Mark Horn (May 05)
- Re: Detecting tunnels? Chris Green (May 03)