Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] Detecting bad UDP Header in packet

From: Jason Williams <jwilliams () emergingthreats net>
Date: Tue, 15 Aug 2017 11:41:00 -0500
Bill,

Thanks for the mail, always fun to look at things like this.

First off, this pcap is kinda weird, assuming it may have been manipulated
a bit for analysis, there might be some introduced issues with it that are
making engines act weird.

I think the core issue is that you are attempting to match on content in
the IP header as well as content in the Data portion of the packet, which
is udp. By using the udp protocol in your rule, you are effectively saying "
ip[9]=0x11".

A rule that fires for me in snort looks like the below:

alert udp any any -> any any (msg:"mailing list"; content:"2e"; depth:2;
sid:5005017; rev:1;)

Normally we use |2e| but this pcap seems to want this hex in an unescaped
form. ?

I'm not able to get the pcap to trigger anything in suricata with content
matches.

Odd stuff, but hopefully this gets you a little bit further down the road.


On Tue, Aug 15, 2017 at 10:34 AM, BILL LARIVIERE <Bill.LaRiviere () regions com

wrote:



All,

We have had some unique packets find their way to our network.  The IP
header looks to be intact and was routed normally.  While looking at the
packets in tcpdump and wireshark, an anomaly was detected.  It appears that
at IP offset 9, the protocol is identified as UDP (offset9=0x11).  And when
you look at IP offset 20 (UDP header offset 0) you see 0x2e.  This of
course should be part of the source UDP port, not a period.  When I look at
the pcap in Wireshark, there is not a “UDP Datagram” that starts at IP
offset 20, rather “Data” starts there.  I believe this to be caused by an
invalid port number in the “UDP Datagram” portion of the IP Header.  When I
run tcpdump on the pcap file with ip[9]=0x11 and ip[20]=0x2e the packets in
questions are identified.  My question for the group is with
snort/suricata.

I have attempted to run snort with the snort rule alert ip …
content:”|2e|”; depth:4; offset:0…. With no success.  My understanding of
offset is it uses the payload as the reference point to start inspection.
With that in mind, the payload to me would be “Data” portion of the IP
packet.  This offset did not fire an alert.  I have played with all kinds
of offset and depth settings searching for the portion of the packet where
the period has been used for the port.  To no avail.  What am I missing?



Pcap file attached with 2 packets that I am wanting to alert on.



Thanks,





Bill LaRiviere  GCIA





_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net




_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: