Support for snort's within keyword, Table 22, Detect the arriva – Force10 Networks PSeries 100-00055-01 User Manual

Page 72

Advertising
background image

72

Writing Rules

The start of the state machine is prompted by a SYN; state 1 is reached if a packet of length greater than 0
but less than 20 is detected; state 2 is reached if a packet of length 1 is received right after a SYN or a
second packet of length greater than 0 but less than 20 is detected; the final state is reached if a packet of a
length between 0 and 100 is seen. This state diagram was derived from observing common fragmentation
evasion patterns; it seems to catch most of them. More complex state diagrams can also be devised at your
discretion.

Support for Snort's within Keyword

Many buffer-overflow detection rules use a within keyword that verifies that an end-of-line character is
received within a certain number of bytes from the start of the session.

If the within statement is for a large number of bytes, the check needs to be performed across TCP
segments. In this case, several packets must be captured to find the end-of-line character (or whatever the
character might be). For this reason, within statements capture the entire flow.

The within statements are translated by the PNIC-Compiler upon setting the S:32 and S:64 bits. This
causes two rules to trigger the capturing of TCP and UDP flows.

Table 23

shows two rules which trigger the capturing of TCP and UDP flows.

Table 22 TCP Packets with Anomalous Segmentation

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 2 Fragment of size 1 "; dsize: 1; S:4; R:1; C:16;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 1 First fragment of size 0 <> 20 = state 1"; dsize: 0 <>
20; S:4; R:1; C:8;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 2 Second fragment of size 0 <> 20 = capture flow";
dsize: 0 <> 20; S:8; R:1; C:16;)

alert on c0 tcp any any -> any any (msg:"Z Evasion: State 3 Capture flow fragments of size 0 <> 100"; dsize: 0 <>
100; S:16; R:2; C:16;)

Table 23 Capturing TCP and UDP Flows

alert on c0 tcp any any -> any any (msg:"Z TCP within was issued previously for this flow = capture flow"; S:32;
R:2; C:32;)

alert on c0 udp any any -> any any (msg:"Z UDP within was issued previously for this stream = capture stream";
S:64; R:2; C:64;)

Advertising
Popular Brands
Popular manuals