Feature #1566
openICMPv4 control channel detection
Description
As a proposal I would like to detect:
- Unsolicited ECHO Reply
- ECHO Reply with different payload
If there is no such options (I'm pretty sure in it) I will be happy to try and contribute.
In this case I'd like someone experienced to validate the idea details.
Updated by Victor Julien over 9 years ago
You are correct. There is no specific detection for such cases. What do you have in mind?
Updated by Vlad Solontsov over 9 years ago
First of all, by detecting I would setup a flow to avoid any additional work for alerting further traffic between src and dest.
Just have a rule to alert all the ICMP traffic within a flow.
Secondary, seems like I need a kind of transactions hash-map (I saw this kind of thing in DNS at app level) with a copy of initial Packet.
So, as far as I understand, at registering a module I need to initialize a hash-map (key is to be based on src, dest, id and sequence number).At receiving ECHO Request/Reply try to find and update existing flow.
If no flow,
- for request I need to create a transaction, copy the packet and store the copy in the transaction.
- for reply I need to find a transaction and check the payload.
- No transaction -- create a flow and raise alert (return 1 from detecting module)
- Payload mismatch -- create a flow, add initial packet for processing with the flow, update the flow for the current packet (drop the transaction)
- No mismatch -- just drop the transaction.
Could you please comment how reasonable it is, what are the pitfalls with threading model, etc?
Updated by Vlad Solontsov about 9 years ago
Hi,
Sorry for chasing, but is proposal completely wrong?
Updated by Andreas Herz almost 9 years ago
- Assignee set to Anonymous
It's just still in the Queue :)
Updated by Victor Julien about 5 years ago
The flow tracking for (some) ICMP is now done. The rest of the logic will be non-trivial, as ICMP packets are not sent to the app-layer API where the DNS parser lives.