search

jvinet / knock

A port-knocking daemon
http://www.zeroflux.org/projects/knock
GNU General Public License v2.0
552 stars 114 forks source link

Matching similar squences seems limited #13

Closed jalbstmeijer closed 8 years ago

jalbstmeijer commented 9 years ago

Hi,

It seems that matching sequences is very linear and will not match when sequences start in a similar way.

Is this a feature or bug?

Gr, J

with the following config:

[sequence1] sequence = 2001,2002,2003,2011 seq_timeout = 15 tcpflags = syn start_command = date

[sequence2] sequence = 2001,2002,2003,2012 seq_timeout = 15 tcpflags = syn start_command = date

[sequence3] sequence = 2001,2002,2003,2013 seq_timeout = 15 tcpflags = syn start_command = date

[sequence4] sequence = 2001,2002,2003,2014 seq_timeout = 15 tcpflags = syn start_command = date

and the following actions:

knock -d5 123.123.123.123 2001 2002 2003 2011 knock -d5 123.123.123.123 2001 2002 2003 2012 knock -d5 123.123.123.123 2001 2002 2003 2013 knock -d5 123.123.123.123 2001 2002 2003 2014

I see:

[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence2: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence3: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence4: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 2 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 3 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 4 [2014-11-12 15:26] 54.72.48.222: sequence1: OPEN SESAME [2014-11-12 15:26] sequence1: running command: date

[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence2: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence3: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence4: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 2 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 3

[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence2: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence3: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence4: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 2 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 3

[2014-11-12 15:26] 54.72.48.222: sequence1: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence2: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence3: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence4: Stage 1 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 2 [2014-11-12 15:26] 54.72.48.222: sequence1: Stage 3

airwoflgh commented 8 years ago

This seems intentional, at least from the code point of view. When sniff() finds a previous attempt it only supports a single previous attempt in the for loop and breaks when one is found.

Would have to change attempt to be a list and iterate through them for your similar sequences configuration to operate.

    attempt = NULL;
    /* look for this guy in our attempts list */
    for(lp = attempts; lp; lp = lp->next) {
        knocker_t *att = (knocker_t*)lp->data;
        if(!strncmp(att->src, srcIP, sizeof(srcIP)) &&
           !strncmp(att->door->target ? att->door->target : myip, dstIP, sizeof(dstIP))) {
            attempt = att;
            break;
        }
    }

    if(attempt) {
airwoflgh commented 8 years ago

Have crafted a fix in my fork.

jalbstmeijer commented 8 years ago

Hi, wanted to verify your fix, but unfortunately the current 0.7.7 version does not compile for me on Centos 6.7.

I will open a separate ticket for that.

airwoflgh commented 8 years ago

Will take a look at this later tonight.

P.

On December 16, 2015 4:16:35 AM EST, jalbstmeijer notifications@github.com wrote:

Hi, wanted to verify your fix, but unfortunately the current 0.7.7 version does not compile for me on Centos 6.7.

I will open a separate ticket for that.

Reply to this email directly or view it on GitHub: https://github.com/jvinet/knock/issues/13#issuecomment-165042805

Spam detection software, running on the system "pootle.flumps.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see postmaster@flumps.org for details.

Content preview: Will take a look at this later tonight. P. On December 16, 2015 4:16:35 AM EST, jalbstmeijer notifications@github.com wrote: >Hi, wanted to verify your fix, but unfortunately the current 0.7.7 >version does not compile for me on Centos 6.7. > >I will open a separate ticket for that.

--- >Reply to this email directly or view it on GitHub: >https://github.com/jvinet/knock/issues/13#issuecomment-165042805 [...]

Content analysis details: (4.0 points, 3.0 required)

pts rule name description

1.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: github.com] 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS 0.0 T_REMOTE_IMAGE Message contains an external image

airwoflgh commented 8 years ago

You should be able to compile it now from my fork. Makefile parameters updated so you don't have to set the CFLAGS variable manually. Have a queued push request to bring that back into master.

jalbstmeijer commented 8 years ago

Tested 0.7.7, but I don't seem to be able to trigger any sequence now.

Sequence comes in, but does not seem to be recognized.

knock -d5 1.2.3.4 2001 2002 2003 2011

knockd -D -v -i eth0

config: new section: 'options' config: log file: /var/log/knockd.log config: new section: 'sequence1' config: sequence1: sequence: 2001:tcp,2002:tcp,2003:tcp,2011:tcp config: sequence1: seq_timeout: 15 config: tcp flag: SYN config: sequence1: start_command: date ppp interface detected (linux "cooked" encapsulation) Local IP: 1.2.3.4 Adding pcap expression for door 'sequence1': ((dst host XXX) and (((tcp dst port 2001 or 2002 or 2003 or 2011) and tcp[tcpflags] & tcp-syn != 0))) listening on eth0... 2016-00-19 20:39:44: tcp: XXX:41745 -> 1.2.3.4:2001 76 bytes 2016-00-19 20:39:44: tcp: XXX:55551 -> 1.2.3.4:2002 76 bytes 2016-00-19 20:39:44: tcp: XXX:53423 -> 1.2.3.4:2003 76 bytes 2016-00-19 20:39:44: tcp: XXX:41529 -> 1.2.3.4:2011 76 bytes

jalbstmeijer commented 8 years ago

now tested 0.7.8, seems to work now and main issue seems to be fixed.

[2016-01-19 21:04] XXX: sequence1: Stage 1 [2016-01-19 21:04] XXX: sequence2: Stage 1 [2016-01-19 21:04] XXX: sequence3: Stage 1 [2016-01-19 21:04] XXX: sequence4: Stage 1 [2016-01-19 21:04] XXX: sequence1: Stage 2 [2016-01-19 21:04] XXX: sequence2: Stage 2 [2016-01-19 21:04] XXX: sequence3: Stage 2 [2016-01-19 21:04] XXX: sequence4: Stage 2 [2016-01-19 21:04] XXX: sequence1: Stage 3 [2016-01-19 21:04] XXX: sequence2: Stage 3 [2016-01-19 21:04] XXX: sequence3: Stage 3 [2016-01-19 21:04] XXX: sequence4: Stage 3 [2016-01-19 21:04] XXX: sequence1: Stage 4 [2016-01-19 21:04] XXX: sequence1: OPEN SESAME [2016-01-19 21:04] sequence1: running command: date

[2016-01-19 21:04] XXX: sequence1: Stage 1 [2016-01-19 21:04] XXX: sequence2: Stage 1 [2016-01-19 21:04] XXX: sequence3: Stage 1 [2016-01-19 21:04] XXX: sequence4: Stage 1 [2016-01-19 21:04] XXX: sequence1: Stage 2 [2016-01-19 21:04] XXX: sequence2: Stage 2 [2016-01-19 21:04] XXX: sequence3: Stage 2 [2016-01-19 21:04] XXX: sequence4: Stage 2 [2016-01-19 21:04] XXX: sequence1: Stage 3 [2016-01-19 21:04] XXX: sequence2: Stage 3 [2016-01-19 21:04] XXX: sequence3: Stage 3 [2016-01-19 21:04] XXX: sequence4: Stage 3 [2016-01-19 21:04] XXX: sequence2: Stage 4 [2016-01-19 21:04] XXX: sequence2: OPEN SESAME [2016-01-19 21:04] sequence2: running command: date

[2016-01-19 21:04] XXX: sequence1: Stage 1 [2016-01-19 21:04] XXX: sequence2: Stage 1 [2016-01-19 21:04] XXX: sequence3: Stage 1 [2016-01-19 21:04] XXX: sequence4: Stage 1 [2016-01-19 21:04] XXX: sequence1: Stage 2 [2016-01-19 21:04] XXX: sequence2: Stage 2 [2016-01-19 21:04] XXX: sequence3: Stage 2 [2016-01-19 21:04] XXX: sequence4: Stage 2 [2016-01-19 21:04] XXX: sequence1: Stage 3 [2016-01-19 21:04] XXX: sequence2: Stage 3 [2016-01-19 21:04] XXX: sequence3: Stage 3 [2016-01-19 21:04] XXX: sequence4: Stage 3 [2016-01-19 21:04] XXX: sequence3: Stage 4 [2016-01-19 21:04] XXX: sequence3: OPEN SESAME [2016-01-19 21:04] sequence3: running command: date

[2016-01-19 21:04] XXX: sequence1: Stage 1 [2016-01-19 21:04] XXX: sequence2: Stage 1 [2016-01-19 21:04] XXX: sequence3: Stage 1 [2016-01-19 21:04] XXX: sequence4: Stage 1 [2016-01-19 21:04] XXX: sequence1: Stage 2 [2016-01-19 21:04] XXX: sequence2: Stage 2 [2016-01-19 21:04] XXX: sequence3: Stage 2 [2016-01-19 21:04] XXX: sequence4: Stage 2 [2016-01-19 21:04] XXX: sequence1: Stage 3 [2016-01-19 21:04] XXX: sequence2: Stage 3 [2016-01-19 21:04] XXX: sequence3: Stage 3 [2016-01-19 21:04] XXX: sequence4: Stage 3 [2016-01-19 21:04] XXX: sequence4: Stage 4 [2016-01-19 21:04] XXX: sequence4: OPEN SESAME [2016-01-19 21:04] sequence4: running command: date

airwoflgh commented 8 years ago

Hi Judd,

Can we close this one out now please?

P.