ICMP增强型snort规则

本文介绍了ICMP协议的基础概念,重点讲解了如何使用Snort规则检测ping不可达事件,并展示了针对不同类型ICMP报文的高级检测规则,包括恶意扫描、网络探测和安全威胁。通过实例演示,读者将了解如何设置和应用这些规则以增强网络安全防护。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

一 ICMP协议简介

ICMP(internet control message protocol)是面向无连接、不可靠的、基于网络层的消息控制协议,它可以传输数据报错信息、网络状况信息、主机状况信息等。

1.ICMP数据封装

 ICMP报文是使用IP数据报来封装和发送的,携带ICMP报文的IP数据报完全像其他类型数据的数据报那样在网络中被转发,没有额外的可靠性和优先级,由于IP数据报本身被放在底层物理数据帧中进行发送,因此,ICMP报文本身也可能丢失或者出现传输错误。

2.ICMP报文类型

  ICMP报文可以分为两大类:ICMP差错报告报文和ICMP查询报文。差错报告报文主要用来向IP数据报源主机返回一个差错报告信息,查询报文用于一台主机向另一台主机查询特定的信息,通常查询报文是成对出现的,即源主机发起一个查询报文,在目的主机收到该报文后,会按照查询报文约定的格式为源主机返回一个应答报文。

注意, ICMP差错报文并不能纠正差错,它只是简单地报告差错。

二 使用snort规则检测ping不可达事件

ping命令是使用ICMP协议,现在需要制定snort规则,对ping不可达事件进行告警,具体snort规则如下:

include classification.config
alert icmp any any -> any any (msg:"ICMP Destination Unreachable."; itype:3; icode:1; sid:48511; rev:4;)

 1.classification.config是在snort配置文件,具体如下所示:

2.itype是icmp类型,表明Destination unreachable

3.icode是icmp相关代码,表明Host unreachable

4.使用命令抓包:

ping 10.20.92.173  #ping不通
tcpdump  -i ens192 -w ping.pcap #从网卡ens192抓包保存到ping.pcap文件

 5.使用wireshark打开可见:

其中type对应itype,code对应icode。

6.运行命令:

snort -A console  -c snort1.conf -i ens192  #开启snort
tcpreplay -i ens192 -M 10 ping.pcap         #回包测试

 snort告警如下所示:

三 增加型ICMP snort规则

include classification.config
ipvar EXTERNAL_NET any
ipvar HOME_NET any
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

 

 

https://github.com/eldondev/Snort/blob/master/rules/icmp.rules

四 snort检测插件对icmp type字段解析

1.代码目录:snort源码/src/detection-plugins/sp_icmp_type_check.h sp_icmp_type_check.c

2.检测插件开启及初始化

(1)开启:SetupIcmpTypeCheck

(2)初始化:IcmpTypeCheckInit

3.解析type及其数值

// data指向snort icmp规则
// otn指向snort三维链表
void ParseIcmpType(struct _SnortConfig *sc, char *data, OptTreeNode *otn)
{
    ...
}

4.icmp type比较

// option_data:解析后的type结构
// p:指向网络包
void IcmpTypeCheck(void *option_data, Packet *p)
{
    ...
}

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值