[Dshield] Communication when emails are being watched

DAN MORRILL dan_20407 at msn.com
Thu Dec 25 01:01:10 GMT 2003


I am not the best snort rule writer, but would do something like this:

Original Rule (Snort ICMP INFO Set)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BeOS4.x"; 
reference:arachnids,151; sid:370;  classtype:misc-activity; rev:4;)


alert icmp $External_net any -> $home_net any (msg:"Large ICMP Packet 
Capture"' content:""; type 8;depth32;classtype:misc-activity-icmp:rev:1;)

that would capture all type 8 icmp packets with any content. However, I 
would most likely want to grab the whole packet, and I am not sure that the 
rule woulld do this.

Please feel free to mod, delete, or otherwise spindle this rule. Provided 
as-is with no reference in that it may be suitable for anything what so ever 
at any time, in any time zone or period of time from day 0 to some other 
date way in the future that we are not even thinking about (don't you wish 
all eula's were like this?) in the program code so if it blows up in 2038, 
please upgrade with our new expensive version of the software.


Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.

Otherwise, hope things are going well.

>From: JD <lists at webcrunchers.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: General DShield Discussion List <list at dshield.org>
>Subject: Re: [Dshield] Communication when emails are being watched
>Date: Wed, 24 Dec 2003 11:37:08 -0800
>On Dec 24, 2003, at 7:13 AM, DAN MORRILL wrote:
>>You do have support for embedding messages in PING packets. That has been 
>>a viable and valid covert channel for years at this point. They even 
>>talked about it at a SANS conference that I went to and showed images 
>>embedded in an ICMP packet that were captured at a honey pot. So not being 
>>paranoid at all, especially since the channel exists, and has been used in 
>>the past.
>>Since the packet though will be larger, you could probably tack on a rule 
>>that says If ICMP has "Data Payload" > 25 then capture >> largeicmp.log
>How hard would it be to write a snort rule for this?
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Have fun customizing MSN Messenger — learn how here!  

More information about the list mailing list