Snort mailing list archives

Re: What wins? TCP headers or packet contents?

From: Chris Green <cmg () sourcefire com>
Date: Thu, 12 Sep 2002 20:31:27 -0400

John Sage <jsage () finchhaven com> writes:

Let me bring the question up to the top:

So the question for the snort list is:

What wins:

TCP header stuff: i.e. the destination port,

or,

Packet contents stuff: i.e. a hex series within the payload of a
packet, but with no match on destination port?


<snip>


Executive summary:

Twice (once real-time, once on replay against a binary log file) I
have packets matching an rpc.rules by content (a hex sequence) but not
by the destination port stated in the rule.



Let's chop up this mail a bit. There's no notion of what wins because
it's a logical AND of the portions in the rule header and in the rule
options list.

The rule:

"Check TCP traffic from $EXTERNAL_NET with any source port to HOME_NET
port 32770 or above and look for Foo flags with a content of
OOOOOOOOOOOOOO02010186A1 starting 5 bytes into the packet"

rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC
rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86
A1|";offset:5; reference:arachnids,9;classtype:attempted-recon;
sid:1278;  rev:3;)
<snip>


The alert & packet:

[**] [1:1278:3] RPC rstatd query [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/08/02-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
[Xref => http://www.whitehats.com/info/IDS9]
<snip>

which is this packet, by timestamp, and which I am certain is a
portion of a gzipped file:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/08-16:52:31.887141 63.100.47.45:80 -> 12.82.131.145:63498
TCP TTL:49 TOS:0x0 ID:64237 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xE9A99172  Ack: 0xE9926FEA  Win: 0x1920  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1557233190 427655814 
0x0000: 45 00 05 DC FA ED 40 00 31 06 4A BA 3F 64 2F 2D  E.....@.1.J.?d/-
0x0010: 0C 52 83 91 00 50 F8 0A E9 A9 91 72 E9 92 6F EA  .R...P.....r..o.
0x0020: 80 10 19 20 DD C3 00 00 01 01 08 0A 5C D1 7E 26  ... ........\.~&
0x0030: 19 7D 82 86 

                    5F 46 36 63 49 66 61 57 3A 68 32 61  .}.._F6cIfaW:h2a
0x0040: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 41 36  F|c7mHcIf2_.i@A6
0x0050: 75 3A 49 68 5F 46 36 63 49 66 61 57 3A 68 32 61  u:Ih_F6cIfaW:h2a
0x0060: 46 7C 63 37 6D 48 63 49 66 32 5F 2E 69 40 48 7D  F|c7mHcIf2_.i@H}
0x0070: 38 6A 79 38 59 6A 56 28 2E 42 7A 75 3A 3A 64 6D  8jy8YjV(.Bzu::dm
0x0080: 49 68 64 3B 20 57 53 53 5F 47 57 3D 56 31 41 6C  Ihd; WSS_GW=V1Al
0x0090: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
0x00A0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
0x00B0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
0x00C0: 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51  QAlQAlQAlQAlQAlQ
0x00D0: 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41  AlQAlQAlQAlQAlQA
0x00E0: 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C 51 41 6C  lQAlQAlQAlQAlQAl
0x00F0: 51 41 6C 51 7A 25 72 42 51 25 5E 25 72 40 69 3B  QAlQz%rBQ%^%r@i;
0x0100: 20 43 54 47 3D 31 30 32 35 31 39 31 39 31 39 0D   CTG=1025191919.
0x0110: 0A 0D 47 3D 1B 3D 58 0D 02 00 9A 05 00 00 9A 05  ..G=.=X.........
0x0120: 00 00 00 00 0C 04 B2 33 00 03 E3 D9 26 C0 08 00  .......3....&...
0x0130: 45 00 05 8C EB 04 40 00 73 06 FC 52 CC 11 72 09  E.....@.s..R..r.
0x0140: 2E 05 B4 FA 00 50 F9 C1 B3 D2 78 9D 00 01 65 80  .....P....x...e.
0x0150: 50 10 40 B0 46 75 00 00 86 A2 00 00 00 02 00 00  P.@.Fu..........
0x0160: 00 00 00 00 00 01 00 00 00 96 00 00 00 00 00 00  ................
0x0170: 00 96 00 00 00 40 00 00 00 00 00 00 00 00 00 00  .....@..........
0x0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0x0190: 00 00 00 00 00 00 00 00 00 00 02 00 01 86 A1 00  ................
                 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^

                   This was atleast 5 bytes into the stream :)

<snip>

The offset seems different, but only because we have IP and TCP
headers, above.



-- 
Chris Green <cmg () sourcefire com>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

What wins? TCP headers or packet contents? John Sage (Sep 10)
- Re: What wins? TCP headers or packet contents? Erek Adams (Sep 11)
  - Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
  - Re: [Snort-devel] Re: What wins? TCP headers or packet contents? John Sage (Sep 11)
- Re: What wins? TCP headers or packet contents? Chris Green (Sep 12)
  - Re: What wins? TCP headers or packet contents? John Sage (Sep 13)
    - Re: What wins? TCP headers or packet contents? John Sage (Sep 14)