Snort mailing list archives

Re: More fun with IP Option lrsse

From: Todd Wease <twease () sourcefire com>
Date: Mon, 09 Jul 2007 12:25:50 -0400

Jeffrey Denton wrote:

Snort_test.conf:

var HOME_NET any
var EXTERNAL_NET any
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
output alert_syslog: LOG_AUTH LOG_ALERT
include /etc/snort/classification.config
include /etc/snort/reference.config
# Rules from misc.rules file
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lsrr"; ipopt
s:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0510;
 reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulle
tin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:7;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route
lsrre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646;
reference:cve,1999-0909;
reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx;
clas
stype:bad-unknown; sid:501; rev:7;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route
ssrr"; ipopts:ssrr ; reference:cve,1999-0510; classtype:bad-unknown;
sid:502; rev:4;)

The tool sendip needs a hostname.
/etc/hosts:
192.168.1.2    storage

# snort -c /etc/snort/snort_test.conf -i eth0

Sid:500 and sid:501 triggered when the following command is run:
# sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -iolsr 04:192.168.1.1
-ioeol -p tcp -ts 1025 -td 21 storage

Sid:502 triggered when the following command is run:
# sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -iossr 04:192.168.1.1
-ioeol -p tcp -ts 1025 -td 21 storage

I was unable to get sid:501 to trigger with the following command:
# sendip -p ipv4 -is 192.168.1.1 -id 192.168.1.2 -ionum 84 -ionop
-ioeol -p tcp -ts 1025 -td 21 storage

http://www.cochiselinux.org/files/lsrr.pcap
This file contains four packets with the IP option for lsrr.  Sid:500
and sid:501 are triggered when the following command is run:
# snort -c snort_test.conf -r lsrr.pcap

http://www.cochiselinux.org/files/lsrre.pcap
I used netdude to change the IP option value from 131 (0x83) to 132
(0x84).  I was unable to get sid:501 to trigger with the following
command:
# snort -c snort_test.conf -r lsrre.pcap


Thanks for pointing this out Jeffrey.  The problem is in the parsing
code in detection-plugins/sp_ipoption_check.c line 163:

    else if(!strncasecmp(data, "lsrr", 4))
    {
        ds_ptr->ip_option = IPOPT_LSRR;
        return;
    }
    else if(!strncasecmp(data, "lsrre", 5))
    {
        ds_ptr->ip_option = IPOPT_LSRR_E;
        return;
    }


'lsrre' was matching at the first condition.  Not sure yet what release
the fix will go in, but in the meantime the attached patch can be used.

Thanks
Todd

Index: src/detection-plugins/sp_ipoption_check.c
===================================================================
RCS file: /usr/cvsroot-snort/snort/src/detection-plugins/sp_ipoption_check.c,v
retrieving revision 1.16
diff -p -u -r1.16 sp_ipoption_check.c
--- src/detection-plugins/sp_ipoption_check.c   20 Oct 2003 15:03:30 -0000      1.16
+++ src/detection-plugins/sp_ipoption_check.c   9 Jul 2007 16:22:36 -0000
@@ -160,14 +160,14 @@ void ParseIpOptionData(char *data, OptTr
         ds_ptr->ip_option = IPOPT_SECURITY;
         return;
     }
-    else if(!strncasecmp(data, "lsrr", 4))
+    else if(!strncasecmp(data, "lsrre", 5))
     {
-        ds_ptr->ip_option = IPOPT_LSRR;
+        ds_ptr->ip_option = IPOPT_LSRR_E;
         return;
     }
-    else if(!strncasecmp(data, "lsrre", 5))
+    else if(!strncasecmp(data, "lsrr", 4))
     {
-        ds_ptr->ip_option = IPOPT_LSRR_E;
+        ds_ptr->ip_option = IPOPT_LSRR;
         return;
     }
     else if(!strncasecmp(data, "satid", 5))

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

More fun with IP Option lrsse Jeffrey Denton (Jul 08)
- Re: More fun with IP Option lrsse Todd Wease (Jul 09)