Snort rule to see viber traffic - snort

I need help with the following 2 questions to create rules for snort.
Generate an alert when network traffic that indicates Viber, is being used.
Alert for any packet of size > 100 bytes from the network 172.20.0.0 with SNM
255.240.0.0 designated to port 80.

a. Taken from https://commons.erau.edu/cgi/viewcontent.cgi?article=1477&context=jdfsl
The analysis carried out in the work covers upto latest version of Viber 6.2.2 and all re- sults were verified for both android and iOS platforms.
Viber usually communicates over UDP ports 7985, 7987, 5243 and 9785 for the voice calls
You will want to create, write rules that detect TCP and UDP traffic on these mentioned ports. for example.
So something like this then:
- alert udp any any -> $HOME_NET 7985 (msg: "Viber Traffic"; sid:10000001; rev: 1;)
b. Ensure your $HOME_NET is setup correctly in your snort.conf, ergo which subnets you want to have under "home" $HOME_NET.
- alert tcp 172.20.0.0 any -> $HOME_NET 80 (msg: "Traffic from the 172.20.0.0 addr"; dsize:>100;sid:10000001; rev: 1;)

Related

Kubernetes blocking random UDP requests

K8s wont allow external servers to push udp packages from arbitrary ports to pods.
RTSP protocol uses random udp ports to push data every frame.
RTSP-UDP initially connects to 554 TCP port, and gets assigned to a random UDP port between ~18000-25000 at every request.
Is there any way I can allowthis without using hostNetwork? Something like open a range of ports or, allow all UDP traffic from outside the cluster?
To recreate:
ffplay <rtsp-url>
And use a network tool like tcpdump, wireshark to probe udp packages.
You can expose plain TCP and UDP services using the standard nginx ingress controller - see the documentation.
Port ranges are not supported for services. Here is a related issue on github
https://github.com/kubernetes/kubernetes/issues/23864

How to create content rule in Snort

The aim is to detect, if anyone in the HOME_NET is searching for "terrorism" and generate an alert. I am using Snort 2.9 installed in a virtual machine (VirtualBox) running Ubuntu 18.04.
This same qs was asked here but remains unanswered.
For testing purpose, HOME_NET is set as a single machine (192.168.30.102)
The created rule is as follows:
alert tcp $HOME_NET any -> any any (msg:"terrrorism content found"; content:"terrorism"; nocase; sid:10000002;)
This is referred from the excellent video by Dr. Philip Craiger here.
A few other variations also attempted as suggested here and here:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"terrrorism content found"; content:"terrorism"; nocase; sid:10000002;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"terrrorism content found"; content:"terrorism"; http_uri; sid:10000002;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"terrrorism content found"; content:"terrorism"; http_client_body; sid:10000002;)
For testing, a simple google search was done in the web browser (firefox).
However no alerts are getting generated.
The rule to detect the word "HTTP" was executed properly:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HTTP found"; content:"HTTP"; sid:10000002;)
This is a fairly simple rule because 'HTTP' is the first word in the packet application data. However any variation of the previous rule as described above doesn't seem to be working. Alerts are not getting generated.
I would appreciate if anyone could point me in the right direction.
For future reference:
Google as well as most of the web search engines run via a HTTPS connection. Hence the application layer packets are encrypted and cannot be parsed by Snort.
Snort can be applied only to unencrypted packets.
Further detail regarding this can be found here.

How to reserve tcp source port on linux?

I'm working on simple traffic tunneling solution (Linux).
Client side creates tun interface, routes all traffic on it, packages all arrived packets and sends to the server side via udp or tcp connection.
Server side expected to work like NAT. Change source ip address, source port (for tcp/udp) put packet on external network interface via sock_raw, listen for response via sock_raw, keep map of original-source-port <-> replaced-source-port and send responses back to the client.
The question is: how should I choose replaced-source-port ? OS chooses them from ephemeral ports. I can't choose it by myself, it would cause conflicts. OS kernel chooses port after I send packet via sock_raw and I have no chance to build original-source-port <-> replaced-source-port map. Even if I choose port by myself – OS kernel will reply with tcp rst to all incoming tcp packets with dst port not associated with particular app.
P.S. I'm not sure on the overall solution for tunneling too. Your suggestions would be highly appreciated.

How to send a TCP packet to iPhone instead of ICMP packet

I am trying to routinely check whether my iPhone is on my local network. When the phone goes to sleep it quits responding to simple pings. I have read that it will wake up when sent a TCP-packet. Is there a way in Linux to send a TCP packet to an iPhone simply to wake it up long enough to respond to a regular ping?
For sending a TCP packet you will need a port, for example, you could use netcat:
$ echo 1 | nc <iphone ip> 80
You will need to find now out what ports are open in your iPhone and give a try to one of those ports.
Keep in mind that ping has no concept of ports (ICMP layer 3), that's why you can use it without defining a port.

capturing TCP packets flow

Problem statement:
Suppose a parent server is hosted on a machine IP: 1.1.1.1 and that server some time communicates with three different servers say A (1.1.1.2), B (1.1.1.3), C (1.1.1.4). Those servers may be database servers or any other servers.
Now from your browser you can send a http request to 1.1.1.1/somePage.htm, as a result some TCP packet will go to the server 1.1.1.1, and 1.1.1.1 can send and receive some TCP packets from A,B,C as well.
Aim is to get the information of all TCP packets from the browser machine, without installing any agent software in any servers.
One solution is we can write a code at the 1.1.1.1 server machine that will filter all the TCP packets with respect to respective IPs. But I don’t want that solution.
Is there any way to solve this issue? Is it possible to introduce new protocol for this? But server codes can’t be modified.
Does "any agent software" includes something like Wireshark? Usually the way to look at all datagrams received is by using a sniffer like Wireshark or you can use tcpdump in Linux servers.
You can also use Netfilter to handle received packets in the server an take certain actions on them.
If all the above is included in what you don't want to do the only alternative I see is to add another server in the middle between the browser and the web server (or between the server and a load balancer if you have a load balancer) that acts only as a router or bridge. In that machine you can inspect and filter TCP segments with all the available tools.