Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: non-standard ping messages

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 21 Jan 2014 15:56:50 -0700
On 2014-01-21 15:03, Jefferson, Shawn wrote:

With the recent revelations of the Target breach, I was wondering if
there is an existing rule that watches for non-standard ping messages
crossing the network? That was one of the indicators in this incident
and that seems like something useful to look for anyway, so maybe
there is already a rule either in VRT or ET the ruleset. Does anyone
know of an existing rule?

Thanks!

Shawn


Here's what I've been working with:

alert icmp any any -> any any (msg:"Unusual L3retriever Ping detected"; 
icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; 
dsize:>32; classtype:trojan-activity; sid:10000116; rev:1;)
alert icmp any any -> any any (msg:"Unusual Microsoft Windows Ping 
detected"; icode:0; itype:8; content:"0123456789abcdefghijklmnopqrstuv"; 
depth:32; dsize:>32; classtype:trojan-activity; sid:10000117; rev:1;)
alert icmp any any -> any any (msg:"Unusual Microsoft Windows 7 Ping 
detected"; icode:0; itype:8; content:"abcdefghijklmnopqrstuvwabcdefghi"; 
depth:32; dsize:>32; classtype:trojan-activity; sid:10000118; rev:1;)
alert icmp any any -> any any (msg:"Unusual PING detected"; icode:0; 
itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; 
depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; 
content:!"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; 
classtype:trojan-activity; sid:10000119; rev:4;)

My fear was that a bad guy would slip in extra data with known pings, 
so the first three match on content and size over 32 bytes.  The last 
one will catch any pings that DON'T match anything standard.  I'd 
capture ICMP for a bit and see what's "normal" on your network, then 
craft around that.

James

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: