Snort mailing list archives
Re: GRE PPTP/EAP inspection
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 26 Mar 2020 23:53:07 +0000
Also, you export the variable below so you can see the comparison values (or any others). Should help you find where the cursor is. Whoa9@whoa9:/var/tmp/snort-2.9.15$ export SNORT_DEBUG=0x0000000000001000LL Whoa9@whoa9:/var/tmp/snort-2.9.15$ ./bin/snort -c etc/pptp.conf -r ~/Downloads/pptp_eap.pcap -Acmg -k none -q sp_pattern_match.c:195: Plugin: PatternMatch Initialized! sp_byte_check.c:699: [*] byte test firing... payload starts at 0x5566023849a2 sp_byte_check.c:763: checking absolute offset 12 sp_byte_check.c:837: Grabbed 3 bytes at offset 12 cmp_value = 0x00C22701(12723969) value = 0x00C22701(12723969) 03/25-08:08:34.602456 [**] [1:2:0] EAP Request 2 [**] [Priority: 0] {GRE} 172.16.100.50 -> 172.16.100.100 03/25-08:08:34.602456 DE:AD:CD:B7:69:87 -> DE:AD:45:9D:B7:A6 type:0x800 len:0x492 172.16.100.50 -> 172.16.100.100 GRE TTL:64 TOS:0x0 ID:52936 IpLen:20 DgmLen:1156 DF =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ The debug values are listed under ‘include/snort/dynamic_output/snort_debug.h’ whoa@whoa9:/var/tmp/snort-2.9.15$ less include/snort/dynamic_output/snort_debug.h | grep PATTERN_MATCH #define DEBUG_PATTERN_MATCH 0x0000000000001000LL whoa9@whoa9:/var/tmp/snort-2.9.15$ Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of "Al Lewis (allewi) via Snort-sigs" <snort-sigs () lists snort org> Reply-To: "Al Lewis (allewi)" <allewi () cisco com> Date: Thursday, March 26, 2020 at 7:44 PM To: Teodor Lupan <theologu () gmail com> Cc: "snort-sigs () lists snort org" <snort-sigs () lists snort org> Subject: Re: [Snort-sigs] GRE PPTP/EAP inspection Part of the content you are trying to match on is being decoded in the PPTP header (as Alex said) so that content match wont work. #0 DecodePppPktEncapsulated (pkt=0x555556be056e "\302'\001", len=1124, p=0x555556075780 <s_packet>) at decode.c:1998 1998 if(pkt[0] & 0x01) (gdb) n 2008 protocol = ntohs(*((uint16_t *)pkt)); (gdb) n 2009 hlen = 2; (gdb) print protocol $30 = 49703 (gdb) print /x protocol $31 = 0xc227 (gdb) x /16xb pkt 0x555556be056e: 0xc2 0x27 0x01 0x00 0x04 0x62 0x04 0x10 0x555556be0576: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41 (gdb) You could try some byte matching and hopping around to get you where you need to be. The rule below should get you started. Whoa9@whoa9:/var/tmp/snort-2.9.15$ ./bin/snort -c etc/pptp.conf -r ~/Downloads/pptp_eap.pcap -Acmg -k none -q 03/25-08:08:34.602456 [**] [1:2:0] EAP Request 2 [**] [Priority: 0] {GRE} 172.16.100.50 -> 172.16.100.100 03/25-08:08:34.602456 DE:AD:CD:B7:69:87 -> DE:AD:45:9D:B7:A6 type:0x800 len:0x492 172.16.100.50 -> 172.16.100.100 GRE TTL:64 TOS:0x0 ID:52936 IpLen:20 DgmLen:1156 DF =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/25-08:08:34.602456 [**] [1:1:0] EAP Request 1 [**] [Priority: 0] {GRE} 172.16.100.50 -> 172.16.100.100 03/25-08:08:34.602456 DE:AD:CD:B7:69:87 -> DE:AD:45:9D:B7:A6 type:0x800 len:0x492 172.16.100.50 -> 172.16.100.100 GRE TTL:64 TOS:0x0 ID:52936 IpLen:20 DgmLen:1156 DF =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Whoa9@whoa9:/var/tmp/snort-2.9.15$ cat etc/pptp.conf | grep alert alert ip any any -> any any (msg:"EAP Request 1"; ip_proto:47; dsize: > 260; byte_test:3, =, 12723969, 12, relative; sid:1) alert ip any any -> any any (msg:"EAP Request 2"; ip_proto:47; dsize: > 260; byte_test:3, =, 0xc22701, 12, relative; sid:2) Hope this helps. Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Teodor Lupan via Snort-sigs <snort-sigs () lists snort org> Reply-To: Teodor Lupan <theologu () gmail com> Date: Thursday, March 26, 2020 at 4:39 PM To: "snort-sigs () lists snort org" <snort-sigs () lists snort org> Subject: Re: [Snort-sigs] GRE PPTP/EAP inspection Thanks for idea! I have compiled latest version with the indicated flag and it's the same.... It sees the packets correctly, but still content matching is not possible [image.png] On Thu, Mar 26, 2020 at 7:13 PM James Lay via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: Compiling with: --enable-non-ether-decoders should get you what you need. James On Thu, 2020-03-26 at 12:38 -0400, Alex McDonnell wrote: I went down this rabbit hole and I thin I figured out this is probably a case of similarly named protocols. PPTP is point to point tunneling protocol from https://www.ietf.org/rfc/rfc2637.txt and is a TCP protocol. Your PCAP has a PPP point to point protocol which is a layer 2 protocol thus why I think Snort cannot dump the raw data from it. Alex McDonnell Talos On Thu, Mar 26, 2020 at 10:16 AM Teodor Lupan via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: Hi everybody! I am trying to match on a GRE/PPTP packet with a specific content "|c2 27 01|" which translates to an EAP code Request, with a signature like: alert ip any any -> any any (msg:"EAP Request"; ip_proto:47; dsize: > 260; content: "|c2 27 01|"; offset: 0; rawbytes;) According to https://www.snort.org/faq/readme-gre this should have worked, the GRE decoder is enabled, but still the payload seems to be encapsulated as I am unable to match on rawbytes content... or maybe I am missing something. Do you have any suggestions to make this work? (I have attached a pcap) Thanks! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging<https://snort.org/downloads/#rule-downloads%22%3Eemerging> threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Alex McDonnell (Mar 26)
- Re: GRE PPTP/EAP inspection James Lay via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection rmkml (Mar 26)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Teodor Lupan via Snort-sigs (Mar 27)
- Re: GRE PPTP/EAP inspection Al Lewis (allewi) via Snort-sigs (Mar 27)
- Re: GRE PPTP/EAP inspection James Lay via Snort-sigs (Mar 26)
- Re: GRE PPTP/EAP inspection Alex McDonnell (Mar 26)