all tcp and udp code
时间:2006-11-23 来源:snowtty
Resumen de filtros complejos (sin macro comandos)
1. Basados en Campos Correctos
- ICMP Echo Request and Echo Reply
"(icmp[0:1]=0)" or "(icmp[0:1]=8)"
- Paquetes TCP SYN
"(tcp[13:1]=0x02)"
- Paquetes TCP ACK
"(tcp[13:1]=0x10)"
- Paquetes TCP RST
"(tcp[13:1]=0x04)"
- Paquetes TCP SYN or ACK
"(tcp[13:1]=0x02) or (tcp[13:1]=0x10)"
- Paquetes TCP SYN or RST
"(tcp[13:1]=0x02) or (tcp[13:1]=0x04)"
- Paquetes TCP SYN or FIN
"(tcp[13:1]=0x02) or (tcp[13:1]=0x01)"
- Paquetes TCP SYN and ACK
"(tcp[13:1]=0x12)"
- SMTP: EHLO email.server.com
Para estos filtros hay que tener en cuenta que el Windump no puede hacer
búsqueda de cadenas de más de 4 bytes. Para hacer búsqueda de cadenas de más de
4 bytes se deben utilizar los operadores lógicos: Cadena: EHLO email.server.com tcp port 25 and "(tcp[20:4]=0x45484c4f)" and "(tcp[24:4]=0x20656d61)" and
"(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and
"(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)" - SMTP: HELO email.server.com tcp port 25 and "(tcp[20:4]=0x48454c4f)" and "(tcp[24:4]=0x20656d61)" and
"(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and
"(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)" - SMTP: RCPT TO: <cuenta@xxxxxxxxxxxxxxxx> tcp port 25 and "(tcp[20:4]=0x52435054)" and "(tcp[24:4]=0x20544f3a)" and
"(tcp[28:4]=0x203c6375)" and "(tcp[32:4]=0x65707461)" and
"(tcp[36:4]=0x40656d61)" and "(tcp[40:4]=0x696c2e73)" and
"(tcp[44:4]=0x65727665)" and "(tcp[48:4]=0x722e636f)" and "(tcp[52:2]=0x6d3e)" - SMTP: MAIL FROM: <cuenta@xxxxxxxxxxxxxxxx> tcp port 25 and "(tcp[20:4]=0x4d41494c)" and "(tcp[24:4]=0x20465254)" and
"(tcp[28:4]=0x4d3a203c)" and "(tcp[32:4]=0x63756570)" and
"(tcp[36:4]=0x74614065)" and "(tcp[40:4]=0x6d61696c)" and
"(tcp[44:4]=0x2e736572)" and "(tcp[48:4]=0x7665722e)" and
"(tcp[52:4]=0x636f6d3e)" - POP3: USER <libidonet@xxxxxxxxxxxxx> tcp port 110 and "(tcp[20:4]=0x55534552)" and "(tcp[24:4]=0x206c6962)" and
"(tcp[28:4]=0x69646f6e)" and "(tcp[32:4]=0x6574406c)" and
"(tcp[36:4]=0x69626964)" and "(tcp[40:4]=0x6f6e6574)" and
"(tcp[44:4]=0x2e636f6d)" - Búsqueda de claves en POP3: PASS tcp port 110 and "(tcp[20:4]=0x50415353)" 2. Basados en Campos Erróneos o Intentos de Hacking - Paquetes TCP Flag Null "(tcp[13:1]&0x3f=0)" - Paquetes TCP FIN "(tcp[13:1]=0x01)" - Paquetes TCP PUSH "(tcp[13:1]=0x08)" - Paquetes TCP UNNUMBERED "(tcp[13:1]=0x20)" - Paquetes TCP FLAG RESSERVED "(tcp[13:1]&0xc0!=0)" - Paquetes TCP SYN and RST "(tcp[13:1]=0x06)" - Paquetes TCP SYN and FIN "(tcp[13:1]=0x03)" - Paquetes TCP RST and FIN "(tcp[13:1]=0x05)" - Protocolo IP Desconocido "(ip[9:1]>101)" - IP Fragmentación "(ip[6:1]&0x20!=0x00)" - Fragmentación imposible "(ip[6:1]&0x20!=0)" and "((ip[2:2]-((ip[0:1]&0x0f)*4))&0x7!=0)" - IP Options set "(ip[0:1]&0x05>0x05)" - Sourced Routed Packets "((ip[19:1]=0xff) or (ip[19:1]=0x00))" or "(ip[0:1]&0xff>0x05)" and
"((ip[20:1]=0x83) or (ip[20:1]=0x89))" - Land Attack - Impossible IP Packet ip[12:4] = ip[16:4] - IP Options DoS Attack against Raptor Firewall vr. 6.0 "(ip[0:1]&0x05>0x05)" and "(ip[20:2]=0x4400)" - IP Improper Addresses net 10 or net 127 or net 169.254 or "(net 172 and (((ip[13]>15) and
(ip[13]<32)) or ((ip[17]>15) and (ip[17]<32)))) or dst net 0 or "(src net 0 and
not src host 0.0.0.0)" or net 1 or net 2 or net 5 or net 23 or net 31 or
"((ip[12]>=65) and (ip[12]<=127))" or "((ip[16]>=65) and (ip[12]<=127))" or net
191.255 or net 128.0 or net 197 or net 201 or net 223 or "(ip[12]>239)" or net
255 - ICMP Host Unreachable "(icmp[0:1]=3)" - ICMP Source Quench "(icmp[0:1]=4)" - ICMP Redirect "(icmp[0:1]=5)" - ICMP Router Discovery Attack "(icmp[0:1]=9)" and "((icmp[12:4]=0x03e8) or (icmp[20:4]=0x03e8)
or(icmp[28:4]=0x03e8) or .)" - ICMP Time Exceed for a Datagram "(icmp[0:1]=11)" - ICMP Parameter Problem Attack "(icmp[0:1]=12)" and "(icmp[8:1]>5)" - ICMP Timestamp Attack "(icmp[0:1]=13)" and "(icmp[0:1]=0)" and "(icmp[4:2]=0xffff)" and
"(icmp[6:2]=0xffff)" - ICMP Timestamp Reply "(icmp[0:1]=14)" - ICMP Smurf Attack: Broadcast Echo Request icmp and "(ip[19]=0xff)" or "(icmp[0]=8)" - ICMP Mask Request and Mask Reply "(icmp[0:1]=17)" or "(icmp[0:1]=18)" - Loki (según la versión original) "(icmp[0:1]=8)" or "(icmp[0:1]=0)" and "((icmp[6:2]=0xf001) or
(icmp[6:2]=0x01f0))" - Ping of Death Attack icmp and "((ip[2:2]-((ip[0:1]&0x0f)*4)+((ip[6:2]&0x1fff)*8))>65535)" - BackOrifice 2000: UDP "(udp[8:4]=0xce63d1d2)" and "(udp[12:4]=0x16e713cf)" - Traceroute filters based on UDP "(udp[2:2]>=33000)" and "(udp[2:2]<=34999)" - Teardrop attack udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - Sesquipedalian: Against Linux O.S. "(ip[6:1]&0x20!=0)" and "(ip[6:2]&0x1fff=0)" and
"((ip[2:2])=((ip[0:1]&0x0f)*4))" - Diagnostic Port Attack udp and "(port 7 or port 13 or port 19 or port 37)" - Fragmented IGMP Attack igmp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - Smurf Attack "(ip[19]=0xff)" or "(ip[19]=0x00)" - DNS Server Failure "(udp[11:1]=0x82) - Windows Registry Access or Denied File Access tcp port 139 and "(tcp[20:1]=0x00) and ((tcp[28:2]=0x2d02) and
(tcp[31:2]=0x0400) or (tcp[28:2]=0x2d00))" - Low Numbered UDP Ports: Diagnostic Prelude Attack "(udp[0:2]<20)" or "(udp[2:2]<20)" - UDP Bomb udp port 53 and "((((ip[2:2]&0xffff)-((ip[0:1]&0x0f)*4))!=(ip[26:2])))" - UDP Snork "(udp src port 135 or src port 7 or src port 19)" and "(udp dst port 135)" - Fragmented UDP udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - UDP Malformed Packet "(udp[4:2]<8)" - UDP Chargen DoS udp src port 7 and udp dst port 19 - UDP nmap OS Determination Probe "(udp[2:2]>=30000)" and "(udp[2:2]<=44780)" and "(udp[4:2]=308)" - UDP Syslog Vulnerability "(udp dst port 514)" and "(udp[4:2]=8)" - UDP NBTStat udp port 137 and "((udp[55:1]=0x15) or (udp[54:1]=0x21))" - BO2k UDP Packets "(udp[10:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-8-4)=((udp[9]*256)+udp[8]))" - BO2k TCP Packets "(tcp[22:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-20-4)=((tcp[21]*256)+tcp[20]))" - TCP Services Network Scan tcp and "(dst port 143 or dst port 80 or dst port 25 or dst port 23 or dst port
1080 or dst port 110)" or in other case tcp and "(((dst port 80) and (not host 200.14.241.5)) or ((dst port 25) and
(not host 200.14.241.6)))" - Comando SMTP: VRFY tcp port 25 and "(tcp[20:4]=0x56524658)" or "(tcp[20:4]=0x6577706e)" - Comando SMTP: EXPN tcp port 25 and "(tcp[20:4]=0x4557504e)" or "(tcp[20:4]=0x76726678)" - Comando SMTP: NOOP tcp port 25 and "(tcp[20:4]=0x 4e4f4f50)" or "(tcp[20:4]=0x6e6f6f70)" - Quake I/II "(src net 192.168.40)" and "(udp[2:2]>26999)" and "(udp[2:2]<28000)" - Tribe Flood Networks tcp port 27665 or udp port 31335 or udp port 27444 - Stacheldraft tcp port 16660 or tcp port 65000 - Shaft tcp port 20432 or udp port 20433 or udp port 18753 Captura de consulta ANY a hotmail.com udp[21:4]=0x686f746d and udp[25:4]=0x61696c03 and udp[29:2]=0x636f Captura de consulta DNS Server Fail udp[11:1]=0x82 Captura de consulta ANY a windowsupdate.com udp[21:4]=0x77696e64 and udp[25:4]=0x6f777375 and udp[29:4]=0x70646174 and
udp[33:4]=0x6503636f
búsqueda de cadenas de más de 4 bytes. Para hacer búsqueda de cadenas de más de
4 bytes se deben utilizar los operadores lógicos: Cadena: EHLO email.server.com tcp port 25 and "(tcp[20:4]=0x45484c4f)" and "(tcp[24:4]=0x20656d61)" and
"(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and
"(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)" - SMTP: HELO email.server.com tcp port 25 and "(tcp[20:4]=0x48454c4f)" and "(tcp[24:4]=0x20656d61)" and
"(tcp[28:4]=0x696c2e73)" and "(tcp[32:4]=0x65727665)" and
"(tcp[36:4]=0x722e636f)" and "(tcp[40:1]=0x6d)" - SMTP: RCPT TO: <cuenta@xxxxxxxxxxxxxxxx> tcp port 25 and "(tcp[20:4]=0x52435054)" and "(tcp[24:4]=0x20544f3a)" and
"(tcp[28:4]=0x203c6375)" and "(tcp[32:4]=0x65707461)" and
"(tcp[36:4]=0x40656d61)" and "(tcp[40:4]=0x696c2e73)" and
"(tcp[44:4]=0x65727665)" and "(tcp[48:4]=0x722e636f)" and "(tcp[52:2]=0x6d3e)" - SMTP: MAIL FROM: <cuenta@xxxxxxxxxxxxxxxx> tcp port 25 and "(tcp[20:4]=0x4d41494c)" and "(tcp[24:4]=0x20465254)" and
"(tcp[28:4]=0x4d3a203c)" and "(tcp[32:4]=0x63756570)" and
"(tcp[36:4]=0x74614065)" and "(tcp[40:4]=0x6d61696c)" and
"(tcp[44:4]=0x2e736572)" and "(tcp[48:4]=0x7665722e)" and
"(tcp[52:4]=0x636f6d3e)" - POP3: USER <libidonet@xxxxxxxxxxxxx> tcp port 110 and "(tcp[20:4]=0x55534552)" and "(tcp[24:4]=0x206c6962)" and
"(tcp[28:4]=0x69646f6e)" and "(tcp[32:4]=0x6574406c)" and
"(tcp[36:4]=0x69626964)" and "(tcp[40:4]=0x6f6e6574)" and
"(tcp[44:4]=0x2e636f6d)" - Búsqueda de claves en POP3: PASS tcp port 110 and "(tcp[20:4]=0x50415353)" 2. Basados en Campos Erróneos o Intentos de Hacking - Paquetes TCP Flag Null "(tcp[13:1]&0x3f=0)" - Paquetes TCP FIN "(tcp[13:1]=0x01)" - Paquetes TCP PUSH "(tcp[13:1]=0x08)" - Paquetes TCP UNNUMBERED "(tcp[13:1]=0x20)" - Paquetes TCP FLAG RESSERVED "(tcp[13:1]&0xc0!=0)" - Paquetes TCP SYN and RST "(tcp[13:1]=0x06)" - Paquetes TCP SYN and FIN "(tcp[13:1]=0x03)" - Paquetes TCP RST and FIN "(tcp[13:1]=0x05)" - Protocolo IP Desconocido "(ip[9:1]>101)" - IP Fragmentación "(ip[6:1]&0x20!=0x00)" - Fragmentación imposible "(ip[6:1]&0x20!=0)" and "((ip[2:2]-((ip[0:1]&0x0f)*4))&0x7!=0)" - IP Options set "(ip[0:1]&0x05>0x05)" - Sourced Routed Packets "((ip[19:1]=0xff) or (ip[19:1]=0x00))" or "(ip[0:1]&0xff>0x05)" and
"((ip[20:1]=0x83) or (ip[20:1]=0x89))" - Land Attack - Impossible IP Packet ip[12:4] = ip[16:4] - IP Options DoS Attack against Raptor Firewall vr. 6.0 "(ip[0:1]&0x05>0x05)" and "(ip[20:2]=0x4400)" - IP Improper Addresses net 10 or net 127 or net 169.254 or "(net 172 and (((ip[13]>15) and
(ip[13]<32)) or ((ip[17]>15) and (ip[17]<32)))) or dst net 0 or "(src net 0 and
not src host 0.0.0.0)" or net 1 or net 2 or net 5 or net 23 or net 31 or
"((ip[12]>=65) and (ip[12]<=127))" or "((ip[16]>=65) and (ip[12]<=127))" or net
191.255 or net 128.0 or net 197 or net 201 or net 223 or "(ip[12]>239)" or net
255 - ICMP Host Unreachable "(icmp[0:1]=3)" - ICMP Source Quench "(icmp[0:1]=4)" - ICMP Redirect "(icmp[0:1]=5)" - ICMP Router Discovery Attack "(icmp[0:1]=9)" and "((icmp[12:4]=0x03e8) or (icmp[20:4]=0x03e8)
or(icmp[28:4]=0x03e8) or .)" - ICMP Time Exceed for a Datagram "(icmp[0:1]=11)" - ICMP Parameter Problem Attack "(icmp[0:1]=12)" and "(icmp[8:1]>5)" - ICMP Timestamp Attack "(icmp[0:1]=13)" and "(icmp[0:1]=0)" and "(icmp[4:2]=0xffff)" and
"(icmp[6:2]=0xffff)" - ICMP Timestamp Reply "(icmp[0:1]=14)" - ICMP Smurf Attack: Broadcast Echo Request icmp and "(ip[19]=0xff)" or "(icmp[0]=8)" - ICMP Mask Request and Mask Reply "(icmp[0:1]=17)" or "(icmp[0:1]=18)" - Loki (según la versión original) "(icmp[0:1]=8)" or "(icmp[0:1]=0)" and "((icmp[6:2]=0xf001) or
(icmp[6:2]=0x01f0))" - Ping of Death Attack icmp and "((ip[2:2]-((ip[0:1]&0x0f)*4)+((ip[6:2]&0x1fff)*8))>65535)" - BackOrifice 2000: UDP "(udp[8:4]=0xce63d1d2)" and "(udp[12:4]=0x16e713cf)" - Traceroute filters based on UDP "(udp[2:2]>=33000)" and "(udp[2:2]<=34999)" - Teardrop attack udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - Sesquipedalian: Against Linux O.S. "(ip[6:1]&0x20!=0)" and "(ip[6:2]&0x1fff=0)" and
"((ip[2:2])=((ip[0:1]&0x0f)*4))" - Diagnostic Port Attack udp and "(port 7 or port 13 or port 19 or port 37)" - Fragmented IGMP Attack igmp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - Smurf Attack "(ip[19]=0xff)" or "(ip[19]=0x00)" - DNS Server Failure "(udp[11:1]=0x82) - Windows Registry Access or Denied File Access tcp port 139 and "(tcp[20:1]=0x00) and ((tcp[28:2]=0x2d02) and
(tcp[31:2]=0x0400) or (tcp[28:2]=0x2d00))" - Low Numbered UDP Ports: Diagnostic Prelude Attack "(udp[0:2]<20)" or "(udp[2:2]<20)" - UDP Bomb udp port 53 and "((((ip[2:2]&0xffff)-((ip[0:1]&0x0f)*4))!=(ip[26:2])))" - UDP Snork "(udp src port 135 or src port 7 or src port 19)" and "(udp dst port 135)" - Fragmented UDP udp and "((ip[6:1]&0x20!=0) or (ip[6:2]&0x1fff!=0))" - UDP Malformed Packet "(udp[4:2]<8)" - UDP Chargen DoS udp src port 7 and udp dst port 19 - UDP nmap OS Determination Probe "(udp[2:2]>=30000)" and "(udp[2:2]<=44780)" and "(udp[4:2]=308)" - UDP Syslog Vulnerability "(udp dst port 514)" and "(udp[4:2]=8)" - UDP NBTStat udp port 137 and "((udp[55:1]=0x15) or (udp[54:1]=0x21))" - BO2k UDP Packets "(udp[10:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-8-4)=((udp[9]*256)+udp[8]))" - BO2k TCP Packets "(tcp[22:2]=0)" and "((ip[2:2]-((ip[0]&0x0f)*4)-20-4)=((tcp[21]*256)+tcp[20]))" - TCP Services Network Scan tcp and "(dst port 143 or dst port 80 or dst port 25 or dst port 23 or dst port
1080 or dst port 110)" or in other case tcp and "(((dst port 80) and (not host 200.14.241.5)) or ((dst port 25) and
(not host 200.14.241.6)))" - Comando SMTP: VRFY tcp port 25 and "(tcp[20:4]=0x56524658)" or "(tcp[20:4]=0x6577706e)" - Comando SMTP: EXPN tcp port 25 and "(tcp[20:4]=0x4557504e)" or "(tcp[20:4]=0x76726678)" - Comando SMTP: NOOP tcp port 25 and "(tcp[20:4]=0x 4e4f4f50)" or "(tcp[20:4]=0x6e6f6f70)" - Quake I/II "(src net 192.168.40)" and "(udp[2:2]>26999)" and "(udp[2:2]<28000)" - Tribe Flood Networks tcp port 27665 or udp port 31335 or udp port 27444 - Stacheldraft tcp port 16660 or tcp port 65000 - Shaft tcp port 20432 or udp port 20433 or udp port 18753 Captura de consulta ANY a hotmail.com udp[21:4]=0x686f746d and udp[25:4]=0x61696c03 and udp[29:2]=0x636f Captura de consulta DNS Server Fail udp[11:1]=0x82 Captura de consulta ANY a windowsupdate.com udp[21:4]=0x77696e64 and udp[25:4]=0x6f777375 and udp[29:4]=0x70646174 and
udp[33:4]=0x6503636f
相关阅读 更多 +
