michael_b

IGMP protocol not supported

9 posts in this topic

Good guide, however less clearly explained than the Snort setup guide. After completing the guide, all rules are DISABLED, you have to add the complete list of classifications in the enablesid.conf, before rules become enabled. But that helps in learning how it works, so thanks!

However, the real issue I'm having is that the igmp protocol doesn't seem to be supported. Upon testing Snort, I receive an error:

Invalid protocol name for
"ip_proto" rule option: "igmp".

Therefore, I have disabled these rules in my disable.conf (pcre:ip_proto:igmp). Any idea how to enable support for the igmp protocol? (21 rules are disabled by this regular expression, so it is not such a big deal, but still).

 

UPDATE: Hmm it's pretty strange, cause Snort doesn't throw an error on 'ip_proto:2', even though that is exactly the same as syaing 'ip_proto:igmp'. Maybe a very small issue in the protocol number to name link? Can that link be changed manually?

Edited by michael_b

Share this post


Link to post
Share on other sites

Ok, found the cause. It seems on Windows there is a protocols file: C:\Windows\System32\drivers\etc\protocol

It didn't contain number 2 ;). 

Share this post


Link to post
Share on other sites

And in response to my comment about the fact that all rules are disabled by default, it seems to be more complicated than that. I don't quite understand how the pulledpork conf (ips_policy) and the snort.conf work together. However, that is more a pulledpork issue, so I asked the question on the users list: http://sourceforge.net/p/snort/mailman/snort-users/thread/DUB119-W52031FD174234DE21E7744A5EA0%40phx.gbl/#msg34041805.

Share this post


Link to post
Share on other sites

I'm not real sure about these items as I haven't used PP in a very long time. I usually pull it up when something goes wrong to fix.

1) You are saying that running the test for Snort 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T' produces this error:

Invalid protocol name for
"ip_proto" rule option: "igmp".

I ran the test (d:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T) and am not seeing this error?

You said there is something missing in the 'C:\Windows\System32\drivers\etc\protocol' file:

It didn't contain number 2

Here is the file:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This file contains the Internet protocols as defined by various
# RFCs.  See http://www.iana.org/assignments/protocol-numbers 
#
# Format:
#
# <protocol name>  <assigned number>  [aliases...]   [#<comment>]

ip         0     IP           # Internet protocol
icmp       1     ICMP         # Internet control message protocol
ggp        3     GGP          # Gateway-gateway protocol
tcp        6     TCP          # Transmission control protocol
egp        8     EGP          # Exterior gateway protocol
pup        12    PUP          # PARC universal packet protocol
udp        17    UDP          # User datagram protocol
hmp        20    HMP          # Host monitoring protocol
xns-idp    22    XNS-IDP      # Xerox NS IDP
rdp        27    RDP          # "reliable datagram" protocol
ipv6       41    IPv6         # Internet protocol IPv6
ipv6-route 43    IPv6-Route   # Routing header for IPv6
ipv6-frag  44    IPv6-Frag    # Fragment header for IPv6
esp        50    ESP          # Encapsulating security payload
ah         51    AH           # Authentication header
ipv6-icmp  58    IPv6-ICMP    # ICMP for IPv6
ipv6-nonxt 59    IPv6-NoNxt   # No next header for IPv6
ipv6-opts  60    IPv6-Opts    # Destination options for IPv6
rvd        66    RVD          # MIT remote virtual disk

What exactly needs to be added?

igmp       2     IGMP         # Internet Group Management Protocol

It this something that should be included? I can automatically search the 'C:\Windows\System32\drivers\etc\protocol' file when the modder.vbs runs, and add the setting if it's missing.

As a note: PP is extremely powerful rule management tool, and it's been my experience that asking question in the snort-users group will get answers faster than in the pullerpork-users group.

Share this post


Link to post
Share on other sites

Hello Morpheus,

1) As I didn't know yet how the enablesid.conf and the ips_policy exactly worked together with the snort.conf, I enabled all rules for my first tests. (I enabled them all through the enablesid.conf, by adding all possible classificactions, preprocessor, protocol-ftp, blacklist, etc.).

Now if you do that, there are about 24095 rules that become enabled. 25 of them concern the IGMP protocol. Snort knows about this protocol, but apparently it needs the number (2 in this case). Two out of the 25 rules were specified with 'igmp' (not the number), Snort looks at the Windows protocols file to translate it to a protocol number. Problem was that not all protocol numbers are included by default in that file. So yes, I think it would be good to add that in the modder.vbs. 

By the way, I also had to add '132' (SCTP). It's possible that in future updates, other protocol numbers will be necessary (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)

2) Yes, I've posted two questions in the snort users list today, and received an answer maximum 30 minutes later. The link between PulledPork and Snort is becoming very clear. 

Thanks for these guides, you must have put a lot of work in them.

Edited by Morpheus
Fixed the URL link

Share this post


Link to post
Share on other sites

Ok, thanks. I have added both protocols to the modder.vbs file that will activate on the first reboot.

igmp       2     IGMP         # Internet Group Management Protocol
stcp       132   SCTP         # Stream Control Transmission Protocol

 

Hello Morpheus,

1) As I didn't know yet how the enablesid.conf and the ips_policy exactly worked together with the snort.conf, I enabled all rules for my first tests. (I enabled them all through the enablesid.conf, by adding all possible classificactions, preprocessor, protocol-ftp, blacklist, etc.).

Can you post your enablesid.conf that enables all the rules?

Edited by Morpheus

Share this post


Link to post
Share on other sites

Sure, I think I got it from the snort archive, a reply to a question of you yourself. I commented out the full list, and enabled only some of them. If you remove the enabled items and then uncomment them all, all my rules became enabled.

# example enablesid.conf v3.1

# SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file 
# will be set back to their ORIGINAL state as it was read when they were 
# originally extracted from the source tarball!

# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010

# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013

# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!

# Example of modifying state for MS and cve rules, note the use of the : 
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids!  These support regular expression
# matching only after you have specified what you are looking for, i.e. 
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+

# Example of using the pcre: keyword to modify rulestate.  the pcre keyword 
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information 
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10 
# pcre:MS(0[7-9]|10)-\d+

# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp

# Any of the above values can be on a single line or multiple lines, when 
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233

# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your 
# environment.

preprocessor
protocol-ftp
server-iis
server-mssql
server-mysql
os-windows
malware-backdoor
malware-cnc
malware-other
malware-tools
browser-chrome
browser-firefox
browser-id
browser-other
exploit-kit
blacklist

#full list:
#app-detect
#blacklist
#browser-chrome
#browser-firefox
#browser-ie
#browser-other
#browser-plugins
#browser-webkit
#content-replace
#decoder
#dos
#exploit-kit
#file-executable
#file-flash
#file-identify
#file-image
#file-java
#file-multimedia
#file-office
#file-other
#file-pdf
#indicator-compromise
#indicator-obfuscation
#indicator-scan
#indicator-shellcode
#malware-backdoor
#malware-cnc
#malware-other
#malware-tools
#netbios
#os-linux
#os-mobile
#os-other
#os-solaris
#os-windows
#policy-multimedia
#policy-other
#policy-social
#policy-spam
#preprocessor
#protocol-dns
#protocol-finger
#protocol-ftp
#protocol-icmp
#protocol-imap
#protocol-nntp
#protocol-pop
#protocol-rpc
#protocol-scada
#protocol-services
#protocol-snmp
#protocol-telnet
#protocol-tftp
#protocol-voip
#pua-adware
#pua-other
#pua-p2p
#pua-toolbars
#server-apache
#server-iis
#server-mail
#server-mssql
#server-mysql
#server-oracle
#server-other
#server-samba
#server-webapp
#sql
#x11

I can post a screenshot of the amount of enabled rules in the PulledPork command line later today if you wish.

I use the following command to update the rules without redownload:

perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T -nP

 

Edited by michael_b

Share this post


Link to post
Share on other sites

It appears all that is needed is to add each of the rules file into the enablesid.conf file?

If I remember right there is a global way to do this without having to add a list of rules?

Thanks...

Edited by Morpheus

Share this post


Link to post
Share on other sites

Using the following exact enablesid.conf enables all (5 exceptions) rules:

# example enablesid.conf v3.1

# SPECIAL NOTE, if you use the -R flag, the rule(s) specified in this file 
# will be set back to their ORIGINAL state as it was read when they were 
# originally extracted from the source tarball!

# Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010

# Example of modifying state for rule ranges
# 1:220-1:3264,3:13010-3:13013

# Comments are allowed in this file, and can also be on the same line
# As the modify state syntax, as long as it is a trailing comment
# 1:1011 # I Disabled this rule because I could!

# Example of modifying state for MS and cve rules, note the use of the : 
# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
# and all MS00 and all cve 2000 related sids!  These support regular expression
# matching only after you have specified what you are looking for, i.e. 
# MS00-<regex> or cve:<regex>, the first section CANNOT contain a regular
# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below)
# for this.
# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+

# Example of using the pcre: keyword to modify rulestate.  the pcre keyword 
# allows for full use of regular expression syntax, you do not need to designate
# with / and all pcre searches are treated as case insensitive. For more information 
# about regular expression syntax: http://www.regular-expressions.info/
# The following example modifies state for all MS07 through MS10 
# pcre:MS(0[7-9]|10)-\d+

# Example of modifying state for specific categories entirely (see README.CATEGORIES)
# VRT-web-iis,ET-shellcode,ET-emergingthreats-smtp,Custom-shellcode,Custom-emergingthreats-smtp

# Any of the above values can be on a single line or multiple lines, when 
# on a single line they simply need to be separated by a ,
# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233

# The modifications in this file are for sample/example purposes only and
# should not actively be used, you need to modify this file to fit your 
# environment.

app-detect
blacklist
browser-chrome
browser-firefox
browser-ie
browser-other
browser-plugins
browser-webkit
content-replace
decoder
dos
exploit-kit
file-executable
file-flash
file-identify
file-image
file-java
file-multimedia
file-office
file-other
file-pdf
indicator-compromise
indicator-obfuscation
indicator-scan
indicator-shellcode
malware-backdoor
malware-cnc
malware-other
malware-tools
netbios
os-linux
os-mobile
os-other
os-solaris
os-windows
policy-multimedia
policy-other
policy-social
policy-spam
preprocessor
protocol-dns
protocol-finger
protocol-ftp
protocol-icmp
protocol-imap
protocol-nntp
protocol-pop
protocol-rpc
protocol-scada
protocol-services
protocol-snmp
protocol-telnet
protocol-tftp
protocol-voip
pua-adware
pua-other
pua-p2p
pua-toolbars
server-apache
server-iis
server-mail
server-mssql
server-mysql
server-oracle
server-other
server-samba
server-webapp
sql
x11

 

Edited by michael_b

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now