ICMP增强型snort规则
一 ICMP协议简介
ICMP(internet control message protocol)是面向无连接、不可靠的、基于网络层的消息控制协议,它可以传输数据报错信息、网络状况信息、主机状况信息等。
1.ICMP数据封装
ICMP报文是使用IP数据报来封装和发送的,携带ICMP报文的IP数据报完全像其他类型数据的数据报那样在网络中被转发,没有额外的可靠性和优先级,由于IP数据报本身被放在底层物理数据帧中进行发送,因此,ICMP报文本身也可能丢失或者出现传输错误。
2.ICMP报文类型
ICMP报文可以分为两大类:ICMP差错报告报文和ICMP查询报文。差错报告报文主要用来向IP数据报源主机返回一个差错报告信息,查询报文用于一台主机向另一台主机查询特定的信息,通常查询报文是成对出现的,即源主机发起一个查询报文,在目的主机收到该报文后,会按照查询报文约定的格式为源主机返回一个应答报文。
注意, ICMP差错报文并不能纠正差错,它只是简单地报告差错。
二 使用snort规则检测ping不可达事件
ping命令是使用ICMP协议,现在需要制定snort规则,对ping不可达事件进行告警,具体snort规则如下:
include classification.config
alert icmp any any -> any any (msg:"ICMP Destination Unreachable."; itype:3; icode:1; sid:48511; rev:4;)
1.classification.config是在snort配置文件,具体如下所示:
2.itype是icmp类型,表明Destination unreachable
3.icode是icmp相关代码,表明Host unreachable
4.使用命令抓包:
ping 10.20.92.173 #ping不通
tcpdump -i ens192 -w ping.pcap #从网卡ens192抓包保存到ping.pcap文件
5.使用wireshark打开可见:
其中type对应itype,code对应icode。
6.运行命令:
snort -A console -c snort1.conf -i ens192 #开启snort
tcpreplay -i ens192 -M 10 ping.pcap #回包测试
snort告警如下所示:
三 增加型ICMP snort规则
include classification.config
ipvar EXTERNAL_NET any
ipvar HOME_NET any
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)
https://github.com/eldondev/Snort/blob/master/rules/icmp.rules
四 snort检测插件对icmp type字段解析
1.代码目录:snort源码/src/detection-plugins/sp_icmp_type_check.h sp_icmp_type_check.c
2.检测插件开启及初始化
(1)开启:SetupIcmpTypeCheck
(2)初始化:IcmpTypeCheckInit
3.解析type及其数值
// data指向snort icmp规则
// otn指向snort三维链表
void ParseIcmpType(struct _SnortConfig *sc, char *data, OptTreeNode *otn)
{...
}
4.icmp type比较
// option_data:解析后的type结构
// p:指向网络包
void IcmpTypeCheck(void *option_data, Packet *p)
{...
}
ICMP增强型snort规则相关推荐
- snort规则检测引擎初探
0x01缘由 目前的产品开发过程中,涉及到了对应用层协议类型的检测.考虑到要构建高效的规则匹配引擎,于是再次研究了snort的规则引擎. 主要目的还是开阔下设计思路和借鉴一些方 ...
- Snort规则入门学习
Snort规则学习 Snort 是一个开源入侵防御系统(IPS).Snort IPS 使用一系列规则来帮助定义恶意网络活动,并利用这些规则来查找与之匹配的数据包,并为用户生成警报. 下面来学习一下sn ...
- 30 snort 规则
项关键字. msg - 在报警和包日志中打印一个消息. logto - 把包记录到用户指定的文件中而不是记录到标准输出. ttl - 检查ip头的ttl的值. tos 检查IP头中TOS字段的值. i ...
- 入侵防御之snort规则编写
经过前面的安装和配置之后,snort现以可以以IDS模式运行并执行入侵检测工作.但是检测的成效大多依赖于下载的规则库,而细心的我发现,下载的规则库虽然有200+M,但是仍有相当多的空文档. 除此之外还 ...
- Web流量检测与绕过(基于Snort规则)
Web流量检测与绕过 Snort Snort概述 Snort规则学习 Snort规则编写 流量特征处理 消除流量特征 检测特征是否消除 实战 Snort 我在上一篇博客已经讲述,如何进行windows ...
- Snort规则检测引擎--架构解析
1. 规则头和规则选项 snort将所有已知的攻击以规则的形式放在规则库中,规则库中的每条规则条目分为两个部分:规则头(RuleHeader)和规则选项(RuleOption). 规则头包括:规则行为 ...
- snort规则解析源码分析
init_policies 遍历sc->policy_map->ips_policy_count()和sc->policy_map->inspection_policy_cou ...
- 网络入侵检测--Snort软件规则编写
Snort规则编写 今天主要来讲一下Snort中的规则编写规则,还有些绕口,就是编写他们的rules的方法,可以帮助我们理解他们提供的rules和定义我们自己的rules. 首先我们来看一条规则 al ...
- 如何编写snort的检测规则
分享一下我老师大神的人工智能教程!零基础,通俗易懂!http://blog.csdn.net/jiangjunshow 也欢迎大家转载本篇文章.分享知识,造福人民,实现我们中华民族伟大复兴! 摘要 ...
- 实验 snort安装配置与规则编写
实验 snort安装配置与NIDS规则编写 1 实验目的 在linux或windows任意一个平台下完成snort的安装,使snort工作在NIDS模式下,并编写符合相关情景要求的snort规则. 2 ...
最新文章
- 中考考试的指令广播_明天FM105.2《朝朝早精神好》推出2017广州中考日特别报道...
- 修改mysql远程连接
- BZOJ 4884 [Lydsy2017年5月月赛]太空猫(单调DP)
- android 属性动画实例,Android属性动画完全解析 中 ,ValueAnimator和ObjectAnimator的高级用法...
- iQOO Neo5活力版或本月发布:搭载骁龙870+高刷LCD屏
- 怎么解决 数据丢失的问题_硬盘数据丢失怎么恢复
- 经纬创投:我们研究了200多家公司的融资条款,告诉你如何防止被“套路”
- No package python27 available
- Java 百度OCR 身份证识别
- python 驱动工控机板卡,研华工控机主板驱动下载
- Maven下载安装及修改setting内容
- python初学第一节课
- adobe安装错误代码183
- 32位汇编语言程序设计(钱晓捷) 高清完整
- Python fitter包:拟合数据样本的分布
- 域名使用HTTPS的相关配置
- 纯css实现向上箭头动画显示
- access实验报告体会_Access实验报告
- Linux系统信息查看命令 -
- 烹饪专业的计算机课程,烹饪专业计算机应用基础教学的思考.PDF
热门文章
- 2019上半年勒索病毒专题报告
- React:在发表评论功能中加入表情emoji
- 微信公众号管理后台获取已关注的openid
- 麦克风阵列入门(一)
- html修改img图片颜色,html中img图片设置透明度的方法
- 一个手机阅读器的WebApp
- html鼠标悬停多个效果,33个jQuery与CSS3实现的绚丽鼠标悬停效果
- oracle混音插件教程,【图片】【教学】waves混音插件官方教学贴,长期更新_混音吧_百度贴吧...
- 51单片机流水灯画图打板焊元件历程
- mysql id 主键 外键_mysql主键 外键