Paul Schmehl wrote:
--On Friday, June 01, 2007 16:00:49 -0500 Paul Schmehl
<pauls@utdallas.edu> wrote:
--On Friday, June 01, 2007 22:19:27 +0200 rmkml <rmkml@free.fr> wrote:
and do you have false alert if you add ip_proto:46; on this rules ?
I don't think that's possible, is it? This rule is looking at the data
in a packet *not* at the IP header. You would need to sort that out
first, and I don't think snort has that ability. Or is the data
going to
include the protocol somehow? The tenth byte of the IP header would
tell
you what the protocol is, but I don't think snort has rule syntax that
looks at that. (I could definitely be wrong.)
After reviewing the docs, I see that I am definitely wrong.
Furthermore, this would probably be an excellent improvement to this
rule.
So I assume it would look like this, because you would want to check
for the protocol first and reject at the point if it doesn't match,
right?
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP
Protocol zero length object DoS attempt"; ip_proto:"46";
content:"|01|"; depth:1; offset:11; byte_test:1,<,4,13;
pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
reference:url,www.frsirt.com/english/advisories/2005/0411;
classtype:attempted-dos; sid:4638; rev:3; )
Or would you need to use the hex?
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP
Protocol zero length object DoS attempt"; ip_proto:"|2E|";
content:"|01|"; depth:1; offset:11; byte_test:1,<,4,13;
pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
reference:url,www.frsirt.com/english/advisories/2005/0411;
classtype:attempted-dos; sid:4638; rev:3; )
Or I suppose you could do:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP
Protocol zero length object DoS attempt"; ip_proto:"rsvp";
content:"|01|"; depth:1; offset:11; byte_test:1,<,4,13;
pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
reference:url,www.frsirt.com/english/advisories/2005/0411;
classtype:attempted-dos; sid:4638; rev:3; )
It turns out that the best way to go is:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol
zero length object DoS attempt"; ip_proto:46; content:"|01|"; depth:1;
offset:11; byte_test:1,<,4,13;
pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
reference:url,www.frsirt.com/english/advisories/2005/0411;
classtype:attempted-dos; sid:4638; rev:3;)
Having quotes around the number causes parser errors, and using the
protocol number avoids any possible confusion when examining the packet
(the likelihood of which is extremely low anyway, but it doesn't hurt to
be safe). In any case, this is definitely a good addition to the rule,
and it will be released in a forthcoming rulepack.
Alex Kirk
Research Analyst
Sourcefire, Inc.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
