一 ICMP协议简介

ICMP(internet control message protocol)是面向无连接、不可靠的、基于网络层的消息控制协议,它可以传输数据报错信息、网络状况信息、主机状况信息等。

1.ICMP数据封装

ICMP报文是使用IP数据报来封装和发送的,携带ICMP报文的IP数据报完全像其他类型数据的数据报那样在网络中被转发,没有额外的可靠性和优先级,由于IP数据报本身被放在底层物理数据帧中进行发送,因此,ICMP报文本身也可能丢失或者出现传输错误。

2.ICMP报文类型

ICMP报文可以分为两大类:ICMP差错报告报文和ICMP查询报文。差错报告报文主要用来向IP数据报源主机返回一个差错报告信息,查询报文用于一台主机向另一台主机查询特定的信息,通常查询报文是成对出现的,即源主机发起一个查询报文,在目的主机收到该报文后,会按照查询报文约定的格式为源主机返回一个应答报文。

注意, ICMP差错报文并不能纠正差错,它只是简单地报告差错。

二 使用snort规则检测ping不可达事件

ping命令是使用ICMP协议,现在需要制定snort规则,对ping不可达事件进行告警,具体snort规则如下:

include classification.config
alert icmp any any -> any any (msg:"ICMP Destination Unreachable."; itype:3; icode:1; sid:48511; rev:4;)

1.classification.config是在snort配置文件,具体如下所示:

2.itype是icmp类型,表明Destination unreachable

3.icode是icmp相关代码,表明Host unreachable

4.使用命令抓包:

ping 10.20.92.173  #ping不通
tcpdump  -i ens192 -w ping.pcap #从网卡ens192抓包保存到ping.pcap文件

5.使用wireshark打开可见:

其中type对应itype,code对应icode。

6.运行命令:

snort -A console  -c snort1.conf -i ens192  #开启snort
tcpreplay -i ens192 -M 10 ping.pcap         #回包测试

snort告警如下所示:

三 增加型ICMP snort规则

include classification.config
ipvar EXTERNAL_NET any
ipvar HOME_NET any
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

https://github.com/eldondev/Snort/blob/master/rules/icmp.rules

四 snort检测插件对icmp type字段解析

1.代码目录:snort源码/src/detection-plugins/sp_icmp_type_check.h sp_icmp_type_check.c

2.检测插件开启及初始化

(1)开启:SetupIcmpTypeCheck

(2)初始化:IcmpTypeCheckInit

3.解析type及其数值

// data指向snort icmp规则
// otn指向snort三维链表
void ParseIcmpType(struct _SnortConfig *sc, char *data, OptTreeNode *otn)
{...
}

4.icmp type比较

// option_data:解析后的type结构
// p:指向网络包
void IcmpTypeCheck(void *option_data, Packet *p)
{...
}

ICMP增强型snort规则相关推荐

  1. snort规则检测引擎初探

    0x01缘由        目前的产品开发过程中,涉及到了对应用层协议类型的检测.考虑到要构建高效的规则匹配引擎,于是再次研究了snort的规则引擎.      主要目的还是开阔下设计思路和借鉴一些方 ...

  2. Snort规则入门学习

    Snort规则学习 Snort 是一个开源入侵防御系统(IPS).Snort IPS 使用一系列规则来帮助定义恶意网络活动,并利用这些规则来查找与之匹配的数据包,并为用户生成警报. 下面来学习一下sn ...

  3. 30 snort 规则

    项关键字. msg - 在报警和包日志中打印一个消息. logto - 把包记录到用户指定的文件中而不是记录到标准输出. ttl - 检查ip头的ttl的值. tos 检查IP头中TOS字段的值. i ...

  4. 入侵防御之snort规则编写

    经过前面的安装和配置之后,snort现以可以以IDS模式运行并执行入侵检测工作.但是检测的成效大多依赖于下载的规则库,而细心的我发现,下载的规则库虽然有200+M,但是仍有相当多的空文档. 除此之外还 ...

  5. Web流量检测与绕过(基于Snort规则)

    Web流量检测与绕过 Snort Snort概述 Snort规则学习 Snort规则编写 流量特征处理 消除流量特征 检测特征是否消除 实战 Snort 我在上一篇博客已经讲述,如何进行windows ...

  6. Snort规则检测引擎--架构解析

    1. 规则头和规则选项 snort将所有已知的攻击以规则的形式放在规则库中,规则库中的每条规则条目分为两个部分:规则头(RuleHeader)和规则选项(RuleOption). 规则头包括:规则行为 ...

  7. snort规则解析源码分析

    init_policies 遍历sc->policy_map->ips_policy_count()和sc->policy_map->inspection_policy_cou ...

  8. 网络入侵检测--Snort软件规则编写

    Snort规则编写 今天主要来讲一下Snort中的规则编写规则,还有些绕口,就是编写他们的rules的方法,可以帮助我们理解他们提供的rules和定义我们自己的rules. 首先我们来看一条规则 al ...

  9. 如何编写snort的检测规则

    分享一下我老师大神的人工智能教程!零基础,通俗易懂!http://blog.csdn.net/jiangjunshow 也欢迎大家转载本篇文章.分享知识,造福人民,实现我们中华民族伟大复兴! 摘要  ...

  10. 实验 snort安装配置与规则编写

    实验 snort安装配置与NIDS规则编写 1 实验目的 在linux或windows任意一个平台下完成snort的安装,使snort工作在NIDS模式下,并编写符合相关情景要求的snort规则. 2 ...

最新文章

  1. 中考考试的指令广播_明天FM105.2《朝朝早精神好》推出2017广州中考日特别报道...
  2. 修改mysql远程连接
  3. BZOJ 4884 [Lydsy2017年5月月赛]太空猫(单调DP)
  4. android 属性动画实例,Android属性动画完全解析 中 ,ValueAnimator和ObjectAnimator的高级用法...
  5. iQOO Neo5活力版或本月发布:搭载骁龙870+高刷LCD屏
  6. 怎么解决 数据丢失的问题_硬盘数据丢失怎么恢复
  7. 经纬创投:我们研究了200多家公司的融资条款,告诉你如何防止被“套路”
  8. No package python27 available
  9. Java 百度OCR 身份证识别
  10. python 驱动工控机板卡,研华工控机主板驱动下载
  11. Maven下载安装及修改setting内容
  12. python初学第一节课
  13. adobe安装错误代码183
  14. 32位汇编语言程序设计(钱晓捷) 高清完整
  15. Python fitter包:拟合数据样本的分布
  16. 域名使用HTTPS的相关配置
  17. 纯css实现向上箭头动画显示
  18. access实验报告体会_Access实验报告
  19. Linux系统信息查看命令 -
  20. 烹饪专业的计算机课程,烹饪专业计算机应用基础教学的思考.PDF

热门文章

  1. 2019上半年勒索病毒专题报告
  2. React:在发表评论功能中加入表情emoji
  3. 微信公众号管理后台获取已关注的openid
  4. 麦克风阵列入门(一)
  5. html修改img图片颜色,html中img图片设置透明度的方法
  6. 一个手机阅读器的WebApp
  7. html鼠标悬停多个效果,33个jQuery与CSS3实现的绚丽鼠标悬停效果
  8. oracle混音插件教程,【图片】【教学】waves混音插件官方教学贴,长期更新_混音吧_百度贴吧...
  9. 51单片机流水灯画图打板焊元件历程
  10. mysql id 主键 外键_mysql主键 外键