Snort: “byte_test” for dummies

Recently a blog user asked why in in the Snort malware detection rules, when you want to detect the DNS query to certain suspicious domains, certain characters such as “byte_test:1, !&, 0xF8, 2;” are used as testing conditions. To explain let’s take as an example the following VRT rule for Gauss malware detection:

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain - Gauss"; flow:to_server; byte_test:1,!&,0xF8,2; 
content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,; reference:url,

[Read more…]

Covert channels

(Please note this post was originally published in the Spanish version of Security Art Work last 26th Oct 2010)

Covert channels is an evasion technique that allows an attacker to send information using the communication protocols headers. In this post we will cover-up of channels in the TCP/IP protocols and provide a tool, CovertShell, designed as a proof of concept. The sources are at the end of this post.

The TCP/IP protocol has headers that usually are initialized by the client to maintain or number a communication. The technique covert channels uses these fields to assign them values ​​so the target machine does not interpret these fields as part of the communication, but to obtain data.

An interesting example was developed by Craig H. Rowland in his paper back in 1996: Covert Channels in the TCP/IP Protocol Suite, where he created a small client/server “CovertTCP” of no more than 500 lines that allowed file transfer between client and server, using for it only the fields SEQ, ACK (TCP protocol) and ID field (IP protocol). This information was on the protocol overhead and not in the payload.

[Read more…]

Auditing TCP stack with Scapy

Recently I have been playing with the library Scapy for Python. It allows to create any type of network packet with a few simple commands, even for non existing protocols making use of RAW packets.

Suppose we want to evaluate the behavior of the TCP stack when any combination of TCP flags is received. In order to do it, we need to send TCP packets to a given port using any combination of them.

Keep in mind that sending a packet with the SYN and ACK flags is the same as sending it with the flags ACK and SYN. Therefore it is necessary to generate any combination considering that the order does not affect the result and avoiding to send more packets than those strictly necessary.

[Read more…]