网络入侵检测系统之Suricata(十)--ICMP实现详解

原创

于顾而言SASE

发布于 2024-03-20 09:55:29

770

发布于 2024-03-20 09:55:29

文章被收录于专栏：入侵检测系统入侵检测系统

ICMP协议

Common header

   0               1               2                               4
   0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 0 1 2 3 4
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |     Code      |          Checksum             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             unused                            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Internet Header + 64 bits of Original Data Datagram      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ICMPV4

Type:

#ifndef ICMP_ECHOREPLY
#define ICMP_ECHOREPLY          0       /* Echo Reply                   */
#endif

#ifndef ICMP_DEST_UNREACH
#define ICMP_DEST_UNREACH       3       /* Destination Unreachable      */
#endif

#ifndef ICMP_SOURCE_QUENCH
#define ICMP_SOURCE_QUENCH      4       /* Source Quench                */
#endif

#ifndef ICMP_REDIRECT
#define ICMP_REDIRECT           5       /* Redirect (change route)      */
#endif

#ifndef ICMP_ECHO
#define ICMP_ECHO               8       /* Echo Request                 */
#endif

#ifndef ICMP_ROUTERADVERT
#define ICMP_ROUTERADVERT       9
#endif

#ifndef ICMP_ROUTERSOLICIT
#define ICMP_ROUTERSOLICIT      10
#endif

#ifndef ICMP_TIME_EXCEEDED
#define ICMP_TIME_EXCEEDED      11      /* Time Exceeded                */
#endif

#ifndef ICMP_PARAMETERPROB
#define ICMP_PARAMETERPROB      12      /* Parameter Problem            */
#endif

#ifndef ICMP_TIMESTAMP
#define ICMP_TIMESTAMP          13      /* Timestamp Request            */
#endif

#ifndef ICMP_TIMESTAMPREPLY
#define ICMP_TIMESTAMPREPLY     14      /* Timestamp Reply              */
#endif

#ifndef ICMP_INFO_REQUEST
#define ICMP_INFO_REQUEST       15      /* Information Request          */
#endif

#ifndef ICMP_INFO_REPLY
#define ICMP_INFO_REPLY         16      /* Information Reply            */
#endif

#ifndef ICMP_ADDRESS
#define ICMP_ADDRESS            17      /* Address Mask Request         */
#endif

#ifndef ICMP_ADDRESSREPLY
#define ICMP_ADDRESSREPLY       18      /* Address Mask Reply           */
#endif

#ifndef NR_ICMP_TYPES
#define NR_ICMP_TYPES           18
#endif
Code:

/* Codes for Type3 UNREACH. */
#ifndef ICMP_NET_UNREACH
#define ICMP_NET_UNREACH        0       /* Network Unreachable          */
#endif
#ifndef ICMP_HOST_UNREACH
#define ICMP_HOST_UNREACH       1       /* Host Unreachable             */
#endif
#ifndef ICMP_PROT_UNREACH
#define ICMP_PROT_UNREACH       2       /* Protocol Unreachable         */
#endif
#ifndef ICMP_PORT_UNREACH
#define ICMP_PORT_UNREACH       3       /* Port Unreachable             */
#endif
#ifndef ICMP_FRAG_NEEDED
#define ICMP_FRAG_NEEDED        4       /* Fragmentation Needed/DF set  */
#endif
#ifndef ICMP_SR_FAILED
#define ICMP_SR_FAILED          5       /* Source Route failed          */
#endif
#ifndef ICMP_NET_UNKNOWN
#define ICMP_NET_UNKNOWN        6
#endif
#ifndef ICMP_HOST_UNKNOWN
#define ICMP_HOST_UNKNOWN       7
#endif
#ifndef ICMP_HOST_ISOLATED
#define ICMP_HOST_ISOLATED      8
#endif
#ifndef ICMP_NET_ANO
#define ICMP_NET_ANO            9
#endif
#ifndef ICMP_HOST_ANO
#define ICMP_HOST_ANO           10
#endif
#ifndef ICMP_NET_UNR_TOS
#define ICMP_NET_UNR_TOS        11
#endif
#ifndef ICMP_HOST_UNR_TOS
#define ICMP_HOST_UNR_TOS       12
#endif
#ifndef ICMP_PKT_FILTERED
#define ICMP_PKT_FILTERED       13      /* Packet filtered */
#endif
#ifndef ICMP_PREC_VIOLATION
#define ICMP_PREC_VIOLATION     14      /* Precedence violation */
#endif
#ifndef ICMP_PREC_CUTOFF
#define ICMP_PREC_CUTOFF        15      /* Precedence cut off */
#endif
#ifndef NR_ICMP_UNREACH
#define NR_ICMP_UNREACH         15      /* instead of hardcoding immediate value */
#endif

/* Codes for Type5 REDIRECT. */
#ifndef ICMP_REDIR_NET
#define ICMP_REDIR_NET          0       /* Redirect Net                 */
#endif
#ifndef ICMP_REDIR_HOST
#define ICMP_REDIR_HOST         1       /* Redirect Host                */
#endif
#ifndef ICMP_REDIR_NETTOS
#define ICMP_REDIR_NETTOS       2       /* Redirect Net for TOS         */
#endif
#ifndef ICMP_REDIR_HOSTTOS
#define ICMP_REDIR_HOSTTOS      3       /* Redirect Host for TOS        */
#endif

/* Codes for Type11 TIME_EXCEEDED. */
#ifndef ICMP_EXC_TTL
#define ICMP_EXC_TTL            0       /* TTL count exceeded           */
#endif
#ifndef ICMP_EXC_FRAGTIME
#define ICMP_EXC_FRAGTIME       1       /* Fragment Reass time exceeded */
#endif

ICMPV6

Type:

/** Error Messages: (type <128) */
#define ICMP6_DST_UNREACH           1
#define ICMP6_PACKET_TOO_BIG        2
#define ICMP6_TIME_EXCEEDED         3
#define ICMP6_PARAM_PROB            4

/** Informational Messages (type>=128) */
#define ICMP6_ECHO_REQUEST          128
#define ICMP6_ECHO_REPLY            129

#define MLD_LISTENER_QUERY          130
#define MLD_LISTENER_REPORT         131
#define MLD_LISTENER_REDUCTION      132

#define ND_ROUTER_SOLICIT           133
#define ND_ROUTER_ADVERT            134
#define ND_NEIGHBOR_SOLICIT         135
#define ND_NEIGHBOR_ADVERT          136
#define ND_REDIRECT                 137

#define ICMP6_RR                    138
#define ICMP6_NI_QUERY              139
#define ICMP6_NI_REPLY              140
#define ND_INVERSE_SOLICIT          141
#define ND_INVERSE_ADVERT           142
#define MLD_V2_LIST_REPORT          143
#define HOME_AGENT_AD_REQUEST       144
#define HOME_AGENT_AD_REPLY         145
#define MOBILE_PREFIX_SOLICIT       146
#define MOBILE_PREFIX_ADVERT        147
#define CERT_PATH_SOLICIT           148
#define CERT_PATH_ADVERT            149
#define ICMP6_MOBILE_EXPERIMENTAL   150
#define MC_ROUTER_ADVERT            151
#define MC_ROUTER_SOLICIT           152
#define MC_ROUTER_TERMINATE         153
#define FMIPV6_MSG                  154
#define RPL_CONTROL_MSG             155
#define LOCATOR_UDATE_MSG           156
#define DUPL_ADDR_REQUEST           157
#define DUPL_ADDR_CONFIRM           158
#define MPL_CONTROL_MSG             159
Code:

/** Destination Unreachable Message (type=1) Code: */

#define ICMP6_DST_UNREACH_NOROUTE       0 /* no route to destination */
#define ICMP6_DST_UNREACH_ADMIN         1 /* communication with destination */
                                          /* administratively prohibited */
#define ICMP6_DST_UNREACH_BEYONDSCOPE   2 /* beyond scope of source address */
#define ICMP6_DST_UNREACH_ADDR          3 /* address unreachable */
#define ICMP6_DST_UNREACH_NOPORT        4 /* bad port */
#define ICMP6_DST_UNREACH_FAILEDPOLICY  5 /* Source address failed ingress/egress policy */
#define ICMP6_DST_UNREACH_REJECTROUTE   6 /* Reject route to destination */


/** Time Exceeded Message (type=3) Code: */
#define ICMP6_TIME_EXCEED_TRANSIT     0 /* Hop Limit == 0 in transit */
#define ICMP6_TIME_EXCEED_REASSEMBLY  1 /* Reassembly time out */




/** Parameter Problem Message (type=4) Code: */
#define ICMP6_PARAMPROB_HEADER        0 /* erroneous header field */
#define ICMP6_PARAMPROB_NEXTHEADER    1 /* unrecognized Next Header */
#define ICMP6_PARAMPROB_OPTION        2 /* unrecognized IPv6 option */

ICMP内嵌

对于ICMPv4来说，当type为3--ICMP_DEST_UNREACH，4--ICMP_SOURCE_QUENCH，5--ICMP_REDIRECT，11--ICMP_TIME_EXCEEDED，12--ICMP_PARAMETERPROB时， ICMPv4可以内嵌IPv4+UDP/TCP/ICMPv4，来指示导致差错产生的原始报文IP，TCP/UDP头信息
同理，对于ICMPv6来说，当type为1--ICMP6_DST_UNREACH，2--ICMP6_PACKET_TOO_BIG，3--ICMP6_TIME_EXCEEDED，4--ICMP6_PARAM_PROB时，也可以内嵌IPv6+UDP/TCP/ICMPv6，来指示导致差错产生的原始头部信息

ICMP攻击

ICMPv6 Flood

alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; content:"|03|"; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,http://www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; )

ICMP Smurf Scan Smurf方式把源IP设置为受害者IP，然后向多台服务器发送ICMP报文（通常是ECHO请求），这些接收报文的服务器被报文欺骗，向受害者返回ECHO应答（Type=0），导致垃圾阻塞受害者的门口

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

ICMP Invalid checksum

alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-csum:invalid; classtype:protocol-command-decode; sid:2200076; rev:2;) alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; classtype:protocol-command-decode; sid:2200079; rev:2;)

ICMP Redirct 利用这点可以进行攻击和网络窃听。如果目某主机A支持ICMP重定向，那么主机B发一个IMCP重定向给它，以后它发出的所有到指定地址的报文都会转发主机B，这样B就可以达到窃听目的了或者该主机按照黑客的要求来修改路由表。

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:2100436; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)