Snort Preprocessor Plugin spp_icmpspoof.c,v 1.0 01/04/2003 Source: http://www.lab.epmhs.gr/en/snort/preprocessor_icmpspoof/ John Papapanos (Internet Systematics Lab) contact: jpa3nos@lab.epmhs.gr ## PURPOSE ## This preprocessor does statefull inspection, detecting spoofed ICMP ECHO Request/Reply packets entering or leaving the protected network(s). Furthermore it detects packets entering or leaving your network that are generated as a result to spoofed packets that did not pass through the Sensor. (eq. If someone outside your network sent a Request to another non existing outside host, by spoofing the IP address of a host inside your network. The Unreachable packet entering your network will generate an alert). spp_icmpspoof aims at detecting attacks such as Decoy Traffic, Os Fingerprinting, Scanning-Network Mapping, DDoS attacks, Covert Channels and others that make use of spoofed ICMP ECHO packets. ## EFFECT ## It detects packets sent from external hosts to your network, spoofing the Source IP of a host outside your network, a packet sent form an external host to another external host spoofing the IP address of a host from your network and other spoofing scenarios. Outputs an alert and a probable corresponding scenario for the alert generated. Note: It wont detect the case when an internal host sends a spoofed Echo 8 to another internal host using the source ip of an external host, if the the sensor running snort is able to listen to the internal traffic of your network in promiscuous mode. In this case if the spoofed host exists then the spoofing wont be detected, if the spoofed host doesn't exist then the spoofing will be detected but a wrong scenario case will be generated. The best topology is to place snort where it can listen only to the traffic going in and out of your protected nets. Logs the alerts about the spoofing in a specified log dir/file (or the default) as well as a probable scenario case, describing how the spoofing took place concerning the hosts that took part in the whole process. ## HOW IT WORKS ## Currently detects only spoofed Echo Requests packets, when it fails to match them with a captured Echo Reply or captured ICMP Unreachables codes 0/1,13, that contain an Echo Request or an Echo Reply packet into their data. As a result of this it will detect spoofed Echo Replies too. To do this the preprocessor stores the required info (src ip , dst ip ,time of packet's arrival) of all the inbound and outbound Icmp Echo Requests packets in 2 identical lists, one for the inbound and one for the outbound Echo Requests. When a packet that is supposed to be an answer to an Echo Request packet arrives, it will be checked, in order for a matching stored Echo Request to be found in the corresponding list. Each of the 2 lists used to store the Echo Requests is a 2 dimensional, circular dynamic linked list. The first dimension of the list holds the senders of the Echo Requests. Every such node has a pointer to a list of the receivers of the Echo Requests this sender has sent to. The receivers form the 2nd dimension of the list. Each sender can be found only once in the list. Each receiver of a sender can also be found only once in the list. Every node on each dimension points to the next and the previous node. The next node pointer, of the last node of each dimension, points to NULL and the previous node pointer of the first node of each dimension, points to the last node of this dimension. ## ARGUMENTS ## It takes up to 3 arguments space character delimited. preprocessor icmpspoof: Protected Net(s) The network (written in CIDR notation), you wish to check for spoofed ICMP packets You can use multiple networks separated by ",". You can use the var HOME_NET (IP Lists supported), don't use "any". Timeout (optional) The number of seconds you wish an icmp echo request packet to be held stored in the lists. Meaning the maximum number of seconds that you expect an Echo Reply or an Icmp Error for an Echo Request. Bigger value <-> larger time processing, more memory used. Default value is 3 seconds. Logdir (optional) The directory/file the preprocessor should log the alerts. The directory must exist. The default logging filename is EchoSpoofs and logging dir will be the pv.logdir given in the command line by -l when running snort. If no -l is given then the default dir is the one that snort logs in (eq. /var/log/snort/) --Note-- If you want to use the default timeout value and log in a file of your choice then declare a timeout value 0 and the default will be used. --Examples-- 1) preprocessor icmpspoof:192.168.100.100/24,192.100.0.10/24 3 /var/log/Spoofs Configured like this uses a user defined timeout value and a user defined logdir. 2) preprocessor icmpspoof:192.168.100.100/24 Configured like this uses default timeout and default logdir. 3) preprocessor icmpspoof:192.168.100.100/24 0 /var/log/Spoofs Configured like this uses default timeout and user defined logdir. 4) preprocessor icmpspoof:192.168.100.100/24 4 Configured like this uses a user defined timeout value and default logdir. 5) preprocessor icmpspoof:$HOME_NET 4 /var/log/Spoofs Configured like this uses the nets specified in the var HOME_NET, It can be an IP list , but it can't be "any". ## TODO ## - The plan for the future is to detect more types of spoofed icmp packets and use more types and codes of icmp error messages to check if spoofing occurs. - Improvement of the alert mechanism. More detailed scenarios for spoofed Icmp Reply packets. - Every alert in the logfile is quite large and maybe the case scenario could reside in a different file and be pointed by the alert mechanism.