发新话题
打印

byte_offsets.txt

byte_offsets.txt

译文作者:Helvin
引用:
Intro
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
This document is meant to serve as a quick reference for points
of interest in IP, TCP, UDP and ICMP headers. I cobbled the
information from a variety of sources, all listed at the bottom
of this page. This information will (hopefully) be useful to
people building filters for network tools that use BPF, such
as tcpdump or snort. I was moved to collect all of this stuff
in one place after completing "Intrusion Detection In-Depth"
at a recent SANS conference. Yes, I'm aware that some of these
offsets are covered by tcpdump macros. So what? Use the byte
offsets instead and let them ph33r your m@d sk1lz. Corrections,
additions and so on are welcome. Send them to:

jquinby (at) node.to

Cheers,
JQ


IP byte offsets
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

ip[0] & 0x0f                - protocol version
ip[0] & 0xf0                - protocol options
ip[0] & 0xff00                - internet header length
ip[1]                        - TOS
ip[2:2]                        - Total length
ip[4:2]                        - IP identification
ip[6] & 0xa                - IP flags
ip[6:2] & 0x1fff         - fragment offset area
ip[8]                        - TTL
ip[9]                        - protocol field
ip[10:2]                - header checksum
ip[12:4]                - src IP address
ip[16:4]                - dst IP address
ip[20:3]                - options
ip[24]                        - padding

Src IP = Dest IP (land attack)
(ip[12:4] = ip[16:4])

IP versions !=4
(ip[0] & 0xf0 != 0x40)

IP with options set:
(ip[0:1] & 0x0f > 5)

Broadcasts to x.x.x.255:
(ip[19] = 0xff)

Broadcasts to x.x.x.0
(ip[19] = 0x00)


TCP byte offsets, including anomalous TCP flag settings.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

tcp[0:2]                - src port
tcp[2:2]                - dst port
tcp[4:4]                - seq number
tcp[8:4]                - ack number
tcp[12] & 0x00ff        - data offset
tcp[12] & 0xff00        - reserved
tcp[13]                        - tcp flags

tcp[13] & 0x3f = 0        - no flags set (null packet)
tcp[13] & 0x11 = 1        - FIN set and ACK not set
tcp[13] & 0x03 = 3        - SYN set and FIN set
tcp[13] & 0x05 = 5        - RST set and FIN set
tcp[13] & 0x06 = 6        - SYN set and RST set
tcp[13] & 0x18 = 8        - PSH set and ACK not set
tcp[13] & 0x30 = 0x20        - URG set and ACK not set
tcp[13] & 0xc0 != 0        - >= one of the reserved bits of tcp[13] is set

tcp[14:2]                - window
tcp[16:2]                - checksum
tcp[18:2]                - urgent pointer
tcp[20:3]                - options
tcp[23]                        - padding
tcp[24]                        - data

UDP byte offsets, header only
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

udp[0:2]                - src port
udp[2:2]                - dst port
udp[4:2]                - length
udp[6:2]                - checksum
udp[8:4]                - first 4 octets of data

Crafted packets with impossible UDP lengths:
udp[4:2] < 0) or (udp[4:2] > 1500


ICMP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

icmp[0]                        - type
icmp[1]                        - code
icmp[3:2]                - checksum

Destination Unreachable:
icmp[0] = 0x3 (3)

icmp[4:4]                - unused (per RFC]
icmp[8:4]                - internet header + 64 bits original data
icmp[1]                        - 0 = net unreachable;
                        - 1 = host unreachable;
                        - 2 = protocol unreachable;
                        - 3 = port unreachable;
                        - 4 = fragmentation needed and DF set;
                        - 5 = source route failed.

Time Exceeded:
icmp[0] = 0xB (11)       

icmp[4:4]                - unused (per RFC]
icmp[8:4]                - internet header + 64 bits original data
icmp[1]                        - 0 = TTL exceeded intransit
                        - 1 = fragment reassembly time exceeded

Parameter Problem:
icmp[0] = 0xC (12)       

icmp[1]                        - 0 = pointer indicates error
icmp[4]                        - pointer
icmp[5:3]                - unused, per RFC
icmp[8:4]                - internet header + 64 bits original data


Source Quench:
icmp[0] = 0x4 (4)

icmp[1]                        - 0 = may be received by gateway or host
icmp[4:4]                - unused, per RFC
icmp[8:4]                - internet header + 64 bits original data

Redirect Message:
icmp[0] = 0x5 (5)

icmp[1]                        - 0 = redirect for network
                        - 1 = redirect for host
                        - 2 = redirect for TOS & network
                        - 3 = redirect for TOS & host
icmp[4:4]                - gateway internet address
icmp[8:4]                - internet header + 64 bits original data

Echo/Echo Reply:
icmp[0]        = 0x0 (0) (echo reply)
icmp[0]        = 0x8 (8) (echo request)

icmp[4:2]                - identifier
icmp[6:2]                - sequence number
icmp[8]                        - data begins
               
Timestamp/Timestamp Reply:
icmp[0] = 0xD (13) (timestamp request)
icmp[0] = 0xE (14) (timestamp reply)

icmp[1]                        - 0
icmp[4:2]                - identifier
icmp[6:2]                - sequence number
icmp[8:4]                - originate timestamp
icmp[12:4]                - receive timestamp
icmp[16:4]                - transmit timestamp

Information Request/Reply:
icmp[0] = 0xF (15) (info request)
icmp[0] = 0x10  (16) (info reply)

icmp[1]                        - 0
icmp[4:2]                - identifier
icmp[6:2]                - sequence number

Address Mask Request/Reply:
icmp[0] = 0x11 (11) (address mask request)
icmp[0] = 0x12 (12) (address mask reply)


Sources:

RFC768, "User Datagram Protocol Specification"
RFC791, "Internet Protocol Specification"
RFC792, "Internet Control Message Protocol Specification"
RFC793, "Transmission Control Protocol"
filter files from SHADOW-1.8 source distribution
man pages for tcpdump
"TCP/IP and tcpdump Pocket Reference Guide", SANS
大隐于市

TOP

引用:
# A collection of tcpdump filters.
# [[shells might require escaping of special characters]]
# ==
# This document: http://www.rdrs.net/document/
# Related: http://www.rdrs.net/snippets/src/pcap_example.c
# Last update: Tue Dec 28, 2004
# ==
# If you have tips, suggestions or additional filters
# that haven't been listed here, drop me a short note.
# Address info can be found at http://www.rdrs.net/about.html
#
# Thnkx..
#
#

#######
# TCP
#
# filter ssh
tcp[(tcp[12]>>2):4] = 0x5353482D && (tcp[((tcp[12]>>2)+4):2] = 0x312E || \
tcp[((tcp[12]>>2)+4):2] = 0x322E)

# filter "combine" rlogin
(tcp[(ip[2:2]-((ip[0]&0x0f)<<2))-1]=0) && \
((ip[2:2]-((ip[0]&0x0f)<<2) - (tcp[12]>>2)) != 0) && \
((ip[2:2]-((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 128)

# filter ftp
tcp[(tcp[12]>>2):4] = 0x3232302d || tcp[(tcp[12]>>2):4] = 0x32323020

# URG set and ACK not set
tcp[13] & 0x30 = 0x20

# IMAP service exploit
tcp && (tcp[13] & 2 != 0) && (dst port 143)

# filter root backdoor
tcp[(tcp[12]>>2):2] = 0x2320 && \
(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) == 2

# RST set and FIN set
tcp[13] & 0x05 = 5

# filter out napster
((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 4 && \
tcp[(tcp[12]>>2):4] = 0x53454e44) || \
((ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) = 3 && \
tcp[(tcp[12]>>2):2] = 0x4745 && tcp[(tcp[12]>>2)+2]=0x54)

# telnet
tcp[2:2] = 23
# again telnet but beter...
(tcp[(tcp[12]>>2):2] > 0xfffa) && (tcp[(tcp[12]>>2):2] < 0xffff)

# attempted ftp connection to other hosts on the network than the ftp server
dst net 82.48.9.1/22 && dst port 21 \
&& (tcp[13] & 0x3f = 2) && !(dst host ftp.bla.org)

# attempts to include data on the initial SYN.
tcp[13] & 0xff = 2 && \
(ip[2:2] - ((ip[0] & 0x0f) * 4) - ((tcp[12] & 0xf0) / 4)) != 0

# active open (syn set without ack)
(tcp[13] & 0x12 < 16)

# winnuke DOS attack
(tcp[2:2] = 139) && (tcp[13] & 0x20 != 0) && (tcp[19] & 0x01 = 1)

# destination port less than 1024
tcp[2:2] < 1024

# SYN set and FIN set
tcp[13] & 0x03 = 3

# one of the reserved bits of tcp[13] is set
tcp[13] & 0xc0 != 0

# DNS zone transfer
tcp && dst port 53

# active open connection, syn is set, ack is not
tcp[13] & 0x12 = 2

# X11 ports
(tcp[2:2] >= 6000) && (tcp[2:2] < 7000)

# TCP port 6667 with ACK flag set and payload starting at byte 12
# that does not include the asciiwords "PING", "PONG", "JOIN", or "QUIT".
(tcp[13] & 0x10 = 1) && (tcp[0:2]=6667 || tcp[2:2]=6667) \
&& (not ip[32:4] = 1346981447 || not ip[32:4] = 1347374663 \
|| not ip[32:4] = 1246710094 || not ip[32:4] = 1364543828)

# except ack push
(tcp[13] & 0xe7) != 0

# all packets with the PUSH flag set
tcp[13] & 8 != 0

# all packets with the RST flag set
tcp[13] & 4 != 0

# filter out gnutella
tcp[(tcp[12]>>2):4] = 0x474e5554 && \
tcp[(4+(tcp[12]>>2)):4] = 0x454c4c41 && tcp[8+(tcp[12]>>2)] = 0x20

# catch default hping 2 pings
tcp [3] = 0 && tcp[13] = 0

# FIN set and ACK not set
tcp[13] & 0x11 = 1      

# null scan filter with no flags set
tcp[13] = 0
# could also be written as
tcp[13] & 0xff = 0

# no flags set, null packet
tcp[13] & 0x3f = 0

# syn-fyn
tcp[13] = 3

# syn-fyn both flags set
(tcp[13] & 0x03) = 3

# only syn..
tcp[13] & 0x02) != 0

# reserved bits set
tcp[14] >= 64

# incomming http requests
(tcp[13:1]&18 = 2) && (port 80) && (ip dst 192.168.1.40)

# broadcasts x.x.x.255
ip[19] = 0xff

# broadcasts x.x.x.0
ip[19] = 0x00

# Incomming SYN packets
tcp && (tcp[13] & 0x02 != 0) && \
(tcp[13] & 0x10 = 0) && (not dst port 53) && \
(not dst port 80) && (not dst port 25) && (not dst port 21)

# SMB
dst port 139 && tcp[13:1] & 18 = 2

# ACK flag set, ack value is ZERO. Not normal for three-way handshake.
# Possible capture of NMAP(1) os fingerprinting.
tcp[13] & 0xff = 0x10 && tcp[8:4] = 0
# high-order reserved bits should be ZERO. NMAP(1) sometimes sets the
# bit that is in the 64 position for os fingerprinting.
tcp[13] >= 64

# SYN set and RST set
tcp[13] & 0x06 = 6

# PSH set and ACK not set
tcp[13] & 0x18 = 8

# Some filters combined for a general [catch [[bad]] events filter]
(tcp && (tcp[13] & 3 != 0) && ((dst port 143) || \
(dst port 111) || (tcp[13] & 3 != 0 && tcp[13] & 0x10 = 0 && \
dst net 172.16 && dst port 1080) || \
(dst port 512 || dst port 513 || dst port 514) || \
((ip[19] = 0xff) && not (net 172.16/16 || net 192.168/16)) || \
(ip[12:4] = ip[16:4]))) || (not tcp && igrp && not dst port 520 && \
((dst port 111) || (udp port 2049) || ((ip[19] = 0xff) && \
not (net 172.16/16 || net 192.168/16)) || (ip[12:4] = ip[16:4])))

# RIP info
-s 1024 port routed

# in/out going fragmentation attack
tcp && ip[6:2]&16383 != 0

#######
# IP
#
# all packets with more than 20 bytes of payload
(ip[2:2] - ((ip[0]&0x0f)<<2) - (tcp[12]>>2)) <= 20

# ping of death attack
((ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)) && \
((65535 < (ip[2:2] + 8 * (ip[6:2] & 0x1fff))

# more fragments bit is not set [but] the fragment offset is not zero
((ip[6:1] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0))

# any packet with a header more than 20 bytes.
ip[0] & 0x0f  > 5

# any packet with more fragments set
ip[6] & 0x20 !=0

# packets with TTL's less than 5
ip[8] < 5

# source ip equal to destination ip [classic land attack]
ip[12:4] = ip[16:4]

# another, land attack
(tcp[0:2] = tcp[2:2]) && (ip[12:4] = ip[16:4])

# IP options
(ip[0] & 0x0f) != 5

# broadcasts to xxx.xxx.xxx.255 || xxx.xxx.xxx.0
(ip[19]=0xff) || (ip[19]=0x00)

# fragmented packet with zero offset
ip[6:2] & 0x1fff = 0

# and more fragments [terminal]
(ip[6] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0)

# and even more fragments [intervening]
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff != 0)

# my head was fragmented [initially]
(ip[6] & 0x20 != 0) && (ip[6:2] & 0x1fff = 0)

# fragmented packets with more coming
ip[6:1] & 0x20 != 0

# more fragments bit is not set, [but] the fragment offset is not zero
(ip[6:1] & 0x20 = 0) && (ip[6:2] & 0x1fff != 0))

# unroutable addresses
not ((ip[12] < 3) || net 5 || net 10 || net 127 || net 172.16 \
|| net 192.168 || (ip[12] > 239))

# IP options
ip[0:1] & 0x0f > 5

# loose source routing, [(ip[0:1] & 0x0f > 5)]
# ip[20] opts:
#  7,0x44,0x83,0x89
#  record route,timestamp,loose source routing,strict source routing
# loose source routing
ip[20:1] & 0xff = 131

# other IP versions than ipv4
ip && (ip[0] & 0xf0 != 0x40)

#######
# ICMP
#
# fragmentation needed but DF flag set
(icmp[0] = 3) && (icmp[1] = 4)

# fragmented ICMP
icmp && (ip[6:1] & 0x20 != 0)

# in/out going smurf attack
icmp && (ip[19:1] = 255)

# in/out going fragmentation attack
icmp && ip[6:2] & 16383 != 0

# Loki Filter
((icmp[0] = 0) || (icmp[0] = 8)) && ((icmp[6:2] = 0xf001) || (icmp[6:2] = 0x01f0)

# ICMP address mask requests
icmp[0] = 17

# Frag required but DF set*
((icmp[0] = 3) && (icmp[1] = 4))

# source route failed
(icmp[0] = 3) && (icmp[1] = 5)

# all ICMP except ping
icmp && icmp[0] != 8 && icmp[0] != 0

# source quench        : icmp[0] = 4  
# redirect             : icmp[0] = 5  
# router advertisement : icmp[0] = 9  
# router solicitation  : icmp[0] = 10
# parameter problem    : icmp[0] = 12
# timestamp request    : icmp[0] = 13
# timestamp reply      : icmp[0] = 14
# information request  : icmp[0] = 15
# information reply    : icmp[0] = 16
# address mask request : icmp[0] = 17
# address mask reply   : icmp[0] = 18

#######
# UDP
#
# teardrop attack
udp && (ip[6:1] & 0x20 != 0)

# catch anything udp to port 500 udp
-n -vv udp && dst port 500

# catch udp packets with impossible udp lengths
(udp[4:2] < 0) || (udp[4:2] > 1500)

# back Orifice
-n -vv udp && dst port 31337

# UNIX traceroute destports between 33000 and 33999
(udp[2:2] >= 33000) && (udp[2:2] <= 33999)
# or alternatively..
udp[2:2] >= 33000 && udp[2:2] < 34000 && ip[8] = 1

# UDP port scan
udp && src port = dst port
大隐于市

TOP

发新话题