Re: A question on ethernet padding

[James Lay <jlay () slave-tothe-box net>]

On 2014-01-23 13:20, Jeremy Hoel wrote:
> So there you go.. I was trying various offsets and depths and didn't
> seem to get it.  But I'll try that.  Thanks!
>
>
> BTW - Should that be part of the rule?  Since you wouldn't want those
> to fire if they had 0 data?
>
>
>
> On Thu, Jan 23, 2014 at 8:17 PM, James Lay <jlay () slave-tothe-box net> 
> wrote:
> > On 2014-01-23 12:54, Jeremy Hoel wrote:
> > > I was wondering kind of the same question.. in regards to those new
> > > ICMP rules.  NetApps doing have any ICMP data, just the main 
> > > requests,
> > > but there seems to always be 10 bytes |00| in what wireshark calls
> > > padding, and I'm curious if I can write the rule around that.
> > >
> > > On Thu, Jan 23, 2014 at 4:07 PM, James Lay 
> > > <jlay () slave-tothe-box net>
> > > wrote:
> > > > Does snort treat ethernet padding as data?  Wireshark shows that I 
> > > > have
> > > > 1 byte of data in a packet after my ethernet and ip headers.  My
> > > > ethernet header, normally 14 bytes, includes 17 bytes of Padding.  
> > > > Does
> > > > snort consider the padding as data?  Trying to figure out what 
> > > > offset
> > > > and depth to use on this rule.  Hope I'm explaining this 
> > > > well..thanks
> > > > all.
> > > >
> > > > James
> >
> >
> > An end around around to NOT see these can be to add dsize:>1; to 
> > your
> > rule...should nuke out these zero data pings.
> >
> > James

Yea..I've been making specific rules to match standard ping types that 
are anomalous, and then a catch all rule.  Here's my catch all so far:

alert icmp any any -> any any (msg:"Unusual PING detected"; icode:0; 
itype:8; fragbits:!M; ttl:>10; dsize:>5; 
content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; 
content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; 
content:!"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; 
classtype:bad-unknown; sid:10000119; rev:4;)

It's been a neat exercise seeing how I can hone it to fire on just 
what's weird, not what's usual.

James

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!