Project

General

Profile

Actions
Copy link

Feature #1566

open
VS CT

ICMPv4 control channel detection

Feature #1566: ICMPv4 control channel detection

Added by Vlad Solontsov over 10 years ago. Updated over 6 years ago.

Status:
New
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
Difficulty:
Label:

Description

I'm trying to find a way detecting control channels over ICMP (ICMP shell and others).
As a proposal I would like to detect:
  • Unsolicited ECHO Reply
  • ECHO Reply with different payload

If there is no such options (I'm pretty sure in it) I will be happy to try and contribute.
In this case I'd like someone experienced to validate the idea details.

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #1

You are correct. There is no specific detection for such cases. What do you have in mind?

VS Updated by Vlad Solontsov over 10 years ago Actions
Copy link
 #2

First of all, by detecting I would setup a flow to avoid any additional work for alerting further traffic between src and dest.
Just have a rule to alert all the ICMP traffic within a flow.

Secondary, seems like I need a kind of transactions hash-map (I saw this kind of thing in DNS at app level) with a copy of initial Packet.

So, as far as I understand, at registering a module I need to initialize a hash-map (key is to be based on src, dest, id and sequence number).
At receiving ECHO Request/Reply try to find and update existing flow.
If no flow,
  • for request I need to create a transaction, copy the packet and store the copy in the transaction.
  • for reply I need to find a transaction and check the payload.
    • No transaction -- create a flow and raise alert (return 1 from detecting module)
    • Payload mismatch -- create a flow, add initial packet for processing with the flow, update the flow for the current packet (drop the transaction)
    • No mismatch -- just drop the transaction.

Could you please comment how reasonable it is, what are the pitfalls with threading model, etc?

VS Updated by Vlad Solontsov over 10 years ago Actions
Copy link
 #3

Hi,

Sorry for chasing, but is proposal completely wrong?

AH Updated by Andreas Herz over 10 years ago Actions
Copy link
 #4

  • Assignee set to Anonymous

It's just still in the Queue :)

AH Updated by Andreas Herz about 7 years ago Actions
Copy link
 #5

  • Assignee set to Community Ticket

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #6

The flow tracking for (some) ICMP is now done. The rest of the logic will be non-trivial, as ICMP packets are not sent to the app-layer API where the DNS parser lives.

Actions
Copy link

Also available in: PDF Atom