[intrusion] Filtros con usando WinDump
- From: "Javier Romero" <javier@xxxxxxxxxxxxxxxx>
- To: <intrusion@xxxxxxxxxxxxx>
- Date: Tue, 7 Jun 2005 10:50:54 -0500
Apreciados Julieta/Alberto/Walter/Ernesto
Adjunto un lista útil que desarrollamos en mi área para hacer análisis más
veloces (basado en el material del curso). Úsenla, con libertad. Luego les
estoy enviando un reto para que lo apliquen.
--------------------------------------------------------------------------------
Resumen de filtros complejos (sin macro comandos)
1. Basados en Campos Correctos
- ICMP Echo Request and Echo Reply
"(icmp[0:1]=0)" or "(icmp[0:1]=8)"
- Paquetes TCP SYN
"(tcp[13:1]=0x02)"
- Paquetes TCP ACK
"(tcp[13:1]=0x10)"
- Paquetes TCP RST
"(tcp[13:1]=0x04)"
- Paquetes TCP SYN or ACK
"(tcp[13:1]=0x02) or (tcp[13:1]=0x10)"
- Paquetes TCP SYN or RST
"(tcp[13:1]=0x02) or (tcp[13:1]=0x04)"
- Paquetes TCP SYN or FIN
"(tcp[13:1]=0x02) or (tcp[13:1]=0x01)"
- Paquetes TCP SYN and ACK
"(tcp[13:1]=0x12)"
- SMTP: EHLO email.server.com
Para estos filtros hay que tener en cuenta que el Windump no puede hacer
búsqueda de cadenas de más de 4 bytes. Para hacer búsqueda de cadenas de más de
4 bytes se deben utilizar los operadores lógicos:
Cadena: EHLO email.server.com
tcp port 25 and "(tcp[20:4]=0x45484c4f)" and "(tcp[24:4]=0x20656d61)" and
"(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and
"(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)"
- SMTP: HELO email.server.com
tcp port 25 and "(tcp[20:4]=0x48454c4f)" and "(tcp[24:4]=0x20656d61)" and
"(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and
"(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)"
- SMTP: RCPT TO: <cuenta@xxxxxxxxxxxxxxxx>
tcp port 25 and "(tcp[20:4]=0x52435054)" and "(tcp[24:4]=0x20544f3a)" and
"(tcp[28:4]=0x203c6375)" and "(tcp[32:4]=0x65707461)" and
"(tcp[36:4]=0x40656d61)" and "(tcp[40:4]=0x696c2e73)" and
"(tcp[44:4]=0x65727665)" and "(tcp[48:4]=0x722e636f)" and "(tcp[52:2]=0x6d3e)"
- SMTP: MAIL FROM: <cuenta@xxxxxxxxxxxxxxxx>
tcp port 25 and "(tcp[20:4]=0x4d41494c)" and "(tcp[24:4]=0x20465254)" and
"(tcp[28:4]=0x4d3a203c)" and "(tcp[32:4]=0x63756570)" and
"(tcp[36:4]=0x74614065)" and "(tcp[40:4]=0x6d61696c)" and
"(tcp[44:4]=0x2e736572)" and "(tcp[48:4]=0x7665722e)" and
"(tcp[52:4]=0x636f6d3e)"
- POP3: USER <libidonet@xxxxxxxxxxxxx>
tcp port 110 and "(tcp[20:4]=0x55534552)" and "(tcp[24:4]=0x206c6962)" and
"(tcp[28:4]=0x69646f6e)" and "(tcp[32:4]=0x6574406c)" and
"(tcp[36:4]=0x69626964)" and "(tcp[40:4]=0x6f6e6574)" and
"(tcp[44:4]=0x2e636f6d)"
- Búsqueda de claves en POP3: PASS
tcp port 110 and "(tcp[20:4]=0x50415353)"
2. Basados en Campos Erróneos o Intentos de Hacking
- Paquetes TCP Flag Null
"(tcp[13:1]&0x3f=0)"
- Paquetes TCP FIN
"(tcp[13:1]=0x01)"
- Paquetes TCP PUSH
"(tcp[13:1]=0x08)"
- Paquetes TCP UNNUMBERED
"(tcp[13:1]=0x20)"
- Paquetes TCP FLAG RESSERVED
"(tcp[13:1]&0xc0!=0)"
- Paquetes TCP SYN and RST
"(tcp[13:1]=0x06)"
- Paquetes TCP SYN and FIN
"(tcp[13:1]=0x03)"
- Paquetes TCP RST and FIN
"(tcp[13:1]=0x05)"
- Protocolo IP Desconocido
"(ip[9:1]>101)"
- IP Fragmentación
"(ip[6:1]&0x20!=0x00)"
- Fragmentación imposible
"(ip[6:1]&0x20!=0)" and "((ip[2:2]-((ip[0:1]&0x0f)*4))&0x7!=0)"
- IP Options set
"(ip[0:1]&0x05>0x05)"
- Sourced Routed Packets
"((ip[19:1]=0xff) or (ip[19:1]=0x00))" or "(ip[0:1]&0xff>0x05)" and
"((ip[20:1]=0x83) or (ip[20:1]=0x89))"
- Land Attack - Impossible IP Packet
ip[12:4] = ip[16:4]
- IP Options DoS Attack against Raptor Firewall vr. 6.0
"(ip[0:1]&0x05>0x05)" and "(ip[20:2]=0x4400)"
- IP Improper Addresses
net 10 or net 127 or net 169.254 or "(net 172 and (((ip[13]>15) and
(ip[13]<32)) or ((ip[17]>15) and (ip[17]<32)))) or dst net 0 or "(src net 0 and
not src host 0.0.0.0)" or net 1 or net 2 or net 5 or net 23 or net 31 or
"((ip[12]>=65) and (ip[12]<=127))" or "((ip[16]>=65) and (ip[12]<=127))" or net
191.255 or net 128.0 or net 197 or net 201 or net 223 or "(ip[12]>239)" or net
255
- ICMP Host Unreachable
"(icmp[0:1]=3)"
- ICMP Source Quench
"(icmp[0:1]=4)"
- ICMP Redirect
"(icmp[0:1]=5)"
- ICMP Router Discovery Attack
"(icmp[0:1]=9)" and "((icmp[12:4]=0x03e8) or (icmp[20:4]=0x03e8)
or(icmp[28:4]=0x03e8) or .)"
- ICMP Time Exceed for a Datagram
"(icmp[0:1]=11)"
- ICMP Parameter Problem Attack
"(icmp[0:1]=12)" and "(icmp[8:1]>5)"
- ICMP Timestamp Attack
"(icmp[0:1]=13)" and "(icmp[0:1]=0)" and "(icmp[4:2]=0xffff)" and
"(icmp[6:2]=0xffff)"
- ICMP Timestamp Reply
"(icmp[0:1]=14)"
- ICMP Smurf Attack: Broadcast Echo Request
icmp and "(ip[19]=0xff)" or "(icmp[0]=8)"
- ICMP Mask Request and Mask Reply
"(icmp[0:1]=17)" or "(icmp[0:1]=18)"
- Loki (según la versión original)
"(icmp[0:1]=8)" or "(icmp[0:1]=0)" and "((icmp[6:2]=0xf001) or
(icmp[6:2]=0x01f0))"
- Ping of Death Attack
icmp and "((ip[2:2]-((ip[0:1]&0x0f)*4)+((ip[6:2]&0x1fff)*8))>65535)"
- BackOrifice 2000: UDP
"(udp[8:4]=0xce63d1d2)" and "(udp[12:4]=0x16e713cf)"
- Traceroute filters based on UDP
"(udp[2:2]>=33000)" and "(udp[2:2]<=34999)"
- Teardrop attack
udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))"
- Sesquipedalian: Against Linux O.S.
"(ip[6:1]&0x20!=0)" and "(ip[6:2]&0x1fff=0)" and
"((ip[2:2])=((ip[0:1]&0x0f)*4))"
- Diagnostic Port Attack
udp and "(port 7 or port 13 or port 19 or port 37)"
- Fragmented IGMP Attack
igmp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))"
- Smurf Attack
"(ip[19]=0xff)" or "(ip[19]=0x00)"
- DNS Server Failure
"(udp[11:1]=0x82)
- Windows Registry Access or Denied File Access
tcp port 139 and "(tcp[20:1]=0x00) and ((tcp[28:2]=0x2d02) and
(tcp[31:2]=0x0400) or (tcp[28:2]=0x2d00))"
- Low Numbered UDP Ports: Diagnostic Prelude Attack
"(udp[0:2]<20)" or "(udp[2:2]<20)"
- UDP Bomb
udp port 53 and "((((ip[2:2]&0xffff)-((ip[0:1]&0x0f)*4))!=(ip[26:2])))"
- UDP Snork
"(udp src port 135 or src port 7 or src port 19)" and "(udp dst port 135)"
- Fragmented UDP
udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))"
- UDP Malformed Packet
"(udp[4:2]<8)"
- UDP Chargen DoS
udp src port 7 and udp dst port 19
- UDP nmap OS Determination Probe
"(udp[2:2]>=30000)" and "(udp[2:2]<=44780)" and "(udp[4:2]=308)"
- UDP Syslog Vulnerability
"(udp dst port 514)" and "(udp[4:2]=8)"
- UDP NBTStat
udp port 137 and "((udp[55:1]=0x15) or (udp[54:1]=0x21))"
- BO2k UDP Packets
"(udp[10:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-8-4)=((udp[9]*256)+udp[8]))"
- BO2k TCP Packets
"(tcp[22:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-20-4)=((tcp[21]*256)+tcp[20]))"
- TCP Services Network Scan
tcp and "(dst port 143 or dst port 80 or dst port 25 or dst port 23 or dst port
1080 or dst port 110)"
or in other case
tcp and "(((dst port 80) and (not host 200.14.241.5)) or ((dst port 25) and
(not host 200.14.241.6)))"
- Comando SMTP: VRFY
tcp port 25 and "(tcp[20:4]=0x56524658)" or "(tcp[20:4]=0x6577706e)"
- Comando SMTP: EXPN
tcp port 25 and "(tcp[20:4]=0x4557504e)" or "(tcp[20:4]=0x76726678)"
- Comando SMTP: NOOP
tcp port 25 and "(tcp[20:4]=0x 4e4f4f50)" or "(tcp[20:4]=0x6e6f6f70)"
- Quake I/II
"(src net 192.168.40)" and "(udp[2:2]>26999)" and "(udp[2:2]<28000)"
- Tribe Flood Networks
tcp port 27665 or udp port 31335 or udp port 27444
- Stacheldraft
tcp port 16660 or tcp port 65000
- Shaft
tcp port 20432 or udp port 20433 or udp port 18753
Captura de consulta ANY a hotmail.com
udp[21:4]=0x686f746d and udp[25:4]=0x61696c03 and udp[29:2]=0x636f
Captura de consulta DNS Server Fail
udp[11:1]=0x82
Captura de consulta ANY a windowsupdate.com
udp[21:4]=0x77696e64 and udp[25:4]=0x6f777375 and udp[29:4]=0x70646174 and
udp[33:4]=0x6503636f
Other related posts:
- » [intrusion] Filtros con usando WinDump
