Monday, October 26, 2015

HOWTO : Detect and Prevent ICMP Tunnel Attack on Suricata

Recently, I read an article about ICMP Tunnel attack. It demo how to upload a file by encoding the content with Base64 via ICMP protocol.

There is a suricata rule for detecting large ICMP packet but it is disabled by default (dated Oct 26, 2015) currently, which is :

#alert icmp any any -> any any (msg:"GPL ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:1000029; rev:5;)

We can enable it by removing the "#" in front of the rule and change it to "drop".

However, it cannot detect the packet that is encoded with Base64. I draft the following Suricata rule and make it to "drop" base on the previous rule :

drop icmp any any -> any any (msg:"LOCAL ICMP Large ICMP Packet (Base64)"; dsize:>800; content:"="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.notsosecure.com/2015/10/15/icmp-tunnels-a-case-study/; classtype:bad-unknown; sid:1000028; rev:1;)

That's all! See you.