Matching similar squences seems limited #13

jalbstmeijer · 2014-11-12T14:34:15Z

Hi,

It seems that matching sequences is very linear and will not match when sequences start in a similar way.

Is this a feature or bug?

Gr, J

with the following config:

[sequence1]
sequence = 2001,2002,2003,2011
seq_timeout = 15
tcpflags = syn
start_command = date

[sequence2]
sequence = 2001,2002,2003,2012
seq_timeout = 15
tcpflags = syn
start_command = date

[sequence3]
sequence = 2001,2002,2003,2013
seq_timeout = 15
tcpflags = syn
start_command = date

[sequence4]
sequence = 2001,2002,2003,2014
seq_timeout = 15
tcpflags = syn
start_command = date

and the following actions:

knock -d5 123.123.123.123 2001 2002 2003 2011
knock -d5 123.123.123.123 2001 2002 2003 2012
knock -d5 123.123.123.123 2001 2002 2003 2013
knock -d5 123.123.123.123 2001 2002 2003 2014

I see:

[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 1
[2014-11-12 15:26] 54.72.48.222: sequence2: Stage 1
[2014-11-12 15:26] 54.72.48.222: sequence3: Stage 1
[2014-11-12 15:26] 54.72.48.222: sequence4: Stage 1
[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 2
[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 3
[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 4
[2014-11-12 15:26] 54.72.48.222: sequence1: OPEN SESAME
[2014-11-12 15:26] sequence1: running command: date

[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 1
[2014-11-12 15:26] 54.72.48.222: sequence2: Stage 1
[2014-11-12 15:26] 54.72.48.222: sequence3: Stage 1
[2014-11-12 15:26] 54.72.48.222: sequence4: Stage 1
[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 2
[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 3

airwoflgh · 2015-11-27T15:14:00Z

This seems intentional, at least from the code point of view. When sniff() finds a previous attempt it only supports a single previous attempt in the for loop and breaks when one is found.

Would have to change attempt to be a list and iterate through them for your similar sequences configuration to operate.

    attempt = NULL;
    /* look for this guy in our attempts list */
    for(lp = attempts; lp; lp = lp->next) {
        knocker_t *att = (knocker_t*)lp->data;
        if(!strncmp(att->src, srcIP, sizeof(srcIP)) &&
           !strncmp(att->door->target ? att->door->target : myip, dstIP, sizeof(dstIP))) {
            attempt = att;
            break;
        }
    }

    if(attempt) {

When a port was used in multiple sequences, only the first instance in the first sequence was honored due to the for loop breaking out once found. Updated it populate a linked list and then loop round the found attempts to check for validity.

airwoflgh · 2015-12-09T14:34:19Z

Have crafted a fix in my fork.

jalbstmeijer · 2015-12-16T09:16:33Z

Hi, wanted to verify your fix, but unfortunately the current 0.7.7 version does not compile for me on Centos 6.7.

I will open a separate ticket for that.

airwoflgh · 2015-12-16T18:21:59Z

Will take a look at this later tonight.

P.

On December 16, 2015 4:16:35 AM EST, jalbstmeijer notifications@github.com wrote:

Hi, wanted to verify your fix, but unfortunately the current 0.7.7
version does not compile for me on Centos 6.7.

I will open a separate ticket for that.

Reply to this email directly or view it on GitHub:
#13 (comment)

Spam detection software, running on the system "pootle.flumps.org",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
postmaster@flumps.org for details.

Content preview: Will take a look at this later tonight. P. On December 16,
2015 4:16:35 AM EST, jalbstmeijer notifications@github.com wrote: >Hi,
wanted to verify your fix, but unfortunately the current 0.7.7 >version does
not compile for me on Centos 6.7. > >I will open a separate ticket for that.

--- >Reply to this email directly or view it on GitHub: >#13 (comment)
[...]

Content analysis details: (4.0 points, 3.0 required)

pts rule name description

1.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: github.com]
0.0 HTML_MESSAGE BODY: HTML included in message
1.0 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
1.9 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 T_REMOTE_IMAGE Message contains an external image

airwoflgh · 2015-12-18T12:50:08Z

You should be able to compile it now from my fork. Makefile parameters updated so you don't have to set the CFLAGS variable manually. Have a queued push request to bring that back into master.

0.7.7 fixes

jalbstmeijer · 2016-01-19T19:45:08Z

Tested 0.7.7, but I don't seem to be able to trigger any sequence now.

Sequence comes in, but does not seem to be recognized.

knock -d5 1.2.3.4 2001 2002 2003 2011

knockd -D -v -i eth0

config: new section: 'options'
config: log file: /var/log/knockd.log
config: new section: 'sequence1'
config: sequence1: sequence: 2001:tcp,2002:tcp,2003:tcp,2011:tcp
config: sequence1: seq_timeout: 15
config: tcp flag: SYN
config: sequence1: start_command: date
ppp interface detected (linux "cooked" encapsulation)
Local IP: 1.2.3.4
Adding pcap expression for door 'sequence1': ((dst host XXX) and (((tcp dst port 2001 or 2002 or 2003 or 2011) and tcp[tcpflags] & tcp-syn != 0)))
listening on eth0...
2016-00-19 20:39:44: tcp: XXX:41745 -> 1.2.3.4:2001 76 bytes
2016-00-19 20:39:44: tcp: XXX:55551 -> 1.2.3.4:2002 76 bytes
2016-00-19 20:39:44: tcp: XXX:53423 -> 1.2.3.4:2003 76 bytes
2016-00-19 20:39:44: tcp: XXX:41529 -> 1.2.3.4:2011 76 bytes

jalbstmeijer · 2016-01-19T20:07:14Z

now tested 0.7.8, seems to work now and main issue seems to be fixed.

[2016-01-19 21:04] XXX: sequence1: Stage 1
[2016-01-19 21:04] XXX: sequence2: Stage 1
[2016-01-19 21:04] XXX: sequence3: Stage 1
[2016-01-19 21:04] XXX: sequence4: Stage 1
[2016-01-19 21:04] XXX: sequence1: Stage 2
[2016-01-19 21:04] XXX: sequence2: Stage 2
[2016-01-19 21:04] XXX: sequence3: Stage 2
[2016-01-19 21:04] XXX: sequence4: Stage 2
[2016-01-19 21:04] XXX: sequence1: Stage 3
[2016-01-19 21:04] XXX: sequence2: Stage 3
[2016-01-19 21:04] XXX: sequence3: Stage 3
[2016-01-19 21:04] XXX: sequence4: Stage 3
[2016-01-19 21:04] XXX: sequence1: Stage 4
[2016-01-19 21:04] XXX: sequence1: OPEN SESAME
[2016-01-19 21:04] sequence1: running command: date

[2016-01-19 21:04] XXX: sequence1: Stage 1
[2016-01-19 21:04] XXX: sequence2: Stage 1
[2016-01-19 21:04] XXX: sequence3: Stage 1
[2016-01-19 21:04] XXX: sequence4: Stage 1
[2016-01-19 21:04] XXX: sequence1: Stage 2
[2016-01-19 21:04] XXX: sequence2: Stage 2
[2016-01-19 21:04] XXX: sequence3: Stage 2
[2016-01-19 21:04] XXX: sequence4: Stage 2
[2016-01-19 21:04] XXX: sequence1: Stage 3
[2016-01-19 21:04] XXX: sequence2: Stage 3
[2016-01-19 21:04] XXX: sequence3: Stage 3
[2016-01-19 21:04] XXX: sequence4: Stage 3
[2016-01-19 21:04] XXX: sequence2: Stage 4
[2016-01-19 21:04] XXX: sequence2: OPEN SESAME
[2016-01-19 21:04] sequence2: running command: date

[2016-01-19 21:04] XXX: sequence1: Stage 1
[2016-01-19 21:04] XXX: sequence2: Stage 1
[2016-01-19 21:04] XXX: sequence3: Stage 1
[2016-01-19 21:04] XXX: sequence4: Stage 1
[2016-01-19 21:04] XXX: sequence1: Stage 2
[2016-01-19 21:04] XXX: sequence2: Stage 2
[2016-01-19 21:04] XXX: sequence3: Stage 2
[2016-01-19 21:04] XXX: sequence4: Stage 2
[2016-01-19 21:04] XXX: sequence1: Stage 3
[2016-01-19 21:04] XXX: sequence2: Stage 3
[2016-01-19 21:04] XXX: sequence3: Stage 3
[2016-01-19 21:04] XXX: sequence4: Stage 3
[2016-01-19 21:04] XXX: sequence3: Stage 4
[2016-01-19 21:04] XXX: sequence3: OPEN SESAME
[2016-01-19 21:04] sequence3: running command: date

[2016-01-19 21:04] XXX: sequence1: Stage 1
[2016-01-19 21:04] XXX: sequence2: Stage 1
[2016-01-19 21:04] XXX: sequence3: Stage 1
[2016-01-19 21:04] XXX: sequence4: Stage 1
[2016-01-19 21:04] XXX: sequence1: Stage 2
[2016-01-19 21:04] XXX: sequence2: Stage 2
[2016-01-19 21:04] XXX: sequence3: Stage 2
[2016-01-19 21:04] XXX: sequence4: Stage 2
[2016-01-19 21:04] XXX: sequence1: Stage 3
[2016-01-19 21:04] XXX: sequence2: Stage 3
[2016-01-19 21:04] XXX: sequence3: Stage 3
[2016-01-19 21:04] XXX: sequence4: Stage 3
[2016-01-19 21:04] XXX: sequence4: Stage 4
[2016-01-19 21:04] XXX: sequence4: OPEN SESAME
[2016-01-19 21:04] sequence4: running command: date

airwoflgh · 2016-03-01T03:40:49Z

Hi Judd,

Can we close this one out now please?

P.

jvinet changed the title ~~Matching simular squences seems limited~~ Matching similar squences seems limited Dec 22, 2014

jvinet self-assigned this Dec 22, 2014

jvinet added the needs-verification label Dec 22, 2014

jvinet pushed a commit that referenced this issue Dec 27, 2015

Merge pull request #13 from airwoflgh/0.7.7-fixes

03da011

0.7.7 fixes

jvinet closed this as completed Mar 9, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Matching similar squences seems limited #13

Matching similar squences seems limited #13

jalbstmeijer commented Nov 12, 2014

airwoflgh commented Nov 27, 2015

airwoflgh commented Dec 9, 2015

jalbstmeijer commented Dec 16, 2015

airwoflgh commented Dec 16, 2015

airwoflgh commented Dec 18, 2015

jalbstmeijer commented Jan 19, 2016

jalbstmeijer commented Jan 19, 2016

airwoflgh commented Mar 1, 2016

Matching similar squences seems limited #13

Matching similar squences seems limited #13

Comments

jalbstmeijer commented Nov 12, 2014

airwoflgh commented Nov 27, 2015

airwoflgh commented Dec 9, 2015

jalbstmeijer commented Dec 16, 2015

airwoflgh commented Dec 16, 2015

airwoflgh commented Dec 18, 2015

jalbstmeijer commented Jan 19, 2016

knock -d5 1.2.3.4 2001 2002 2003 2011

knockd -D -v -i eth0

jalbstmeijer commented Jan 19, 2016

airwoflgh commented Mar 1, 2016