Snort mailing list archives

Re: Detecting bad UDP Header in packet


From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Tue, 15 Aug 2017 20:48:32 +0000


I get alerts. See below:


[alewis@localhost snort-2.9.9.0-released]$ ./bin/snort  -c etc/BILL.conf -r etc/BILL.pcap -Aconsole:test -k none -q
1 1 1000000 0
2 1 1000000 0



[alewis@localhost snort-2.9.9.0-released]$ cat etc/BILL.conf

include classification.config
include preproc_rules/preprocessor.rules

alert ip any any -> any any (msg:"TEST 1"; content:"|2e|"; offset:0; depth:1; sid:1000000; )


[alewis@localhost snort-2.9.9.0-released]$ tcpdump -n -r etc/BILL.pcap
reading from file etc/BILL.pcap, link-type EN10MB (Ethernet)
00:05:35.032532 IP 212.72.175.170 > 205.255.102.139: ip-proto-17
00:05:35.071103 IP 212.72.175.170 > 205.255.102.139: ip-proto-17





Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of 
BILL LARIVIERE via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Reply-To: BILL LARIVIERE <Bill.LaRiviere () regions com<mailto:Bill.LaRiviere () regions com>>
Date: Tuesday, August 15, 2017 at 11:34 AM
To: "emerging-sigs () lists emergingthreats net<mailto:emerging-sigs () lists emergingthreats net>" <emerging-sigs () 
lists emergingthreats net<mailto:emerging-sigs () lists emergingthreats net>>, "snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>>
Subject: [Snort-sigs] Detecting bad UDP Header in packet

All,
We have had some unique packets find their way to our network.  The IP header looks to be intact and was routed 
normally.  While looking at the packets in tcpdump and wireshark, an anomaly was detected.  It appears that at IP 
offset 9, the protocol is identified as UDP (offset9=0x11).  And when you look at IP offset 20 (UDP header offset 0) 
you see 0x2e.  This of course should be part of the source UDP port, not a period.  When I look at the pcap in 
Wireshark, there is not a “UDP Datagram” that starts at IP offset 20, rather “Data” starts there.  I believe this to be 
caused by an invalid port number in the “UDP Datagram” portion of the IP Header.  When I run tcpdump on the pcap file 
with ip[9]=0x11 and ip[20]=0x2e the packets in questions are identified.  My question for the group is with 
snort/suricata.
I have attempted to run snort with the snort rule alert ip … content:”|2e|”; depth:4; offset:0…. With no success.  My 
understanding of offset is it uses the payload as the reference point to start inspection.  With that in mind, the 
payload to me would be “Data” portion of the IP packet.  This offset did not fire an alert.  I have played with all 
kinds of offset and depth settings searching for the portion of the packet where the period has been used for the port. 
 To no avail.  What am I missing?

Pcap file attached with 2 packets that I am wanting to alert on.

Thanks,


Bill LaRiviere  GCIA


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread: