nDPI fails to recognize SSH in ICMP

[vpiserchia]

Provided the great work you're doing, thanks for sharing with the community.

During test runs, we've found a detection mismatch with the online available pcap:

`

ndpiReader -i c37c0d3084675ed9b9d63a4e5e50e8da.pcap

---

• NOTE: This is demo app to show some nDPI features.
• In this demo we have implemented only some basic features
• just to show you what you can do with the library. Feel

• free to extend it and send us the patches for inclusion

Using nDPI (2.9.0) [1 thread(s)] Reading packets from pcap file /bcache0/icmp_tunneling/c37c0d3084675ed9b9d63a4e5e50e8da.pcap... Running thread 0...

nDPI Memory statistics: nDPI Memory (once): 203.62 KB
Flow Memory (per flow): 2.08 KB
Actual Memory: 2.74 MB
Peak Memory: 2.74 MB
Setup Time: 1367 msec Packet Processing Time: 1 msec

Traffic statistics: Ethernet bytes: 211522 (includes ethernet CRC/IFC/trailer) Discarded bytes: 4998
IP packets: 863 of 961 packets total IP bytes: 190810 (avg pkt size 198 bytes) Unique flows: 1
TCP Packets: 0
UDP Packets: 0
VLAN Packets: 0
MPLS Packets: 0
PPPoE Packets: 0
Fragmented Packets: 0
Max Packet size: 1041
Packet Len < 64: 100
Packet Len 64-128: 158 Packet Len 128-256: 533 Packet Len 256-1024: 11 Packet Len 1024-1500: 61 Packet Len > 1500: 0 nDPI throughput: 665.38 K pps / 1.22 Gb/sec Analysis begin: 07/Feb/2013 10:04:26 Analysis end: 07/Feb/2013 10:23:08 Traffic throughput: 0.77 pps / 1.47 Kb/sec Traffic duration: 1122.515 sec Guessed flow protos: 0

Detected protocols: ICMP packets: 863 bytes: 190810 flows: 1

Protocol statistics: Acceptable 190810 bytes `

The same pcap generates alerts in suricata with ET Open rulesets installed:

{"timestamp":"2013-02-07T10:04:59.185132+0100","flow_id":1308440011604546,"pcap_cnt":46,"event_type":"alert","flow_direction":"to_server","src_ip":"192.168.154.131","dest_ip":"192.168.1 54.132","proto":"ICMP","icmp_type":8,"icmp_code":0,"community_id":"1:qq1OKSBwmaKdzDF45PeFma9fFgQ=","alert":{"action":"allowed","gid":1,**"signature_id":2024366**,"rev":1,"signature":"ET TROJAN OpenSSH in ICMP Payload - Possible Covert Channel","category":"A Network Trojan was detected","severity":1,"metadata":{"updated_at":["2017_06_08"],"performance_impact":["Moderate"], "created_at":["2017_06_08"],"signature_severity":["Major"],"deployment":["Perimeter"],"attack_target":["Client_Endpoint"],"affected_product":["Any"],"former_category":["TROJAN"]}},"flow":"pkts_toserver":29,"pkts_toclient":13,"bytes_toserver":4315,"bytes_toclient":1571,"bytes":5886,"packets":42,"start":"2013-02-07T10:04:26.459330+0100"},"payload":"RQADTDlsQABABud\/Cl8BAQpfAQLIiwAWMX1Tyg4bv8uAGAHJrBAAAAEBCAoAbWrrAG2GQwAAAxQIFB7hM0xB3BDCj8vCcknXcjwAAAB+ZGlmZmllLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZpZS1oZWxsbWFuLWdyb3VwLWV4Y2hhbmdlLXNoYTEsZGlmZmllLWhlbGxtYW4tZ3JvdXAxNC1zaGExLGRpZmZpZS1oZWxsbWFuLWdyb3VwMS1zaGExAAAAD3NzaC1yc2Esc3NoLWRzcwAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEyOC1jYmMsYWVzMTkyLWNiYyxhZXMyNTYtY2JjLGFyY2ZvdXIscmlqbmRhZWwtY2JjQGx5c2F0b3IubGl1LnNlAAAAnWFlczEyOC1jdHIsYWVzMTkyLWN0cixhZXMyNTYtY3RyLGFyY2ZvdXIyNTYsYXJjZm91cjEyOCxhZXMxMjgtY2JjLDNkZXMtY2JjLGJsb3dmaXNoLWNiYyxjYXN0MTI4LWNiYyxhZXMxOTItY2JjLGFlczI1Ni1jYmMsYXJjZm91cixyaWpuZGFlbC1jYmNAbHlzYXRvci5saXUuc2UAAABpaG1hYy1tZDUsaG1hYy1zaGExLHVtYWMtNjRAb3BlbnNzaC5jb20saG1hYy1yaXBlbWQxNjAsaG1hYy1yaXBlbWQxNjBAb3BlbnNzaC5jb20saG1hYy1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAaWhtYWMtbWQ1LGhtYWMtc2hhMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxpYgAAAAAAAAAAAAAAAAAAAAAAAAAAAA==","payload_printable":"E..L9l@.@...\n_..\n_......1}S................\n.mj..m.C........3LA......rI.r<...~diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1....ssh-rsa,ssh-dss....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se....aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se...ihmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96...ihmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96....none,zlib@openssh.com,zlib....none,zlib@openssh.com,zlib.....................","stream":0,"packet":"AAwpy+OCAAwpzwzBCABFAANoAABAAEABgTzAqJqDwKiahAgAAAD+\/wAARQADTDlsQABABud\/Cl8BAQpfAQLIiwAWMX1Tyg4bv8uAGAHJrBAAAAEBCAoAbWrrAG2GQwAAAxQIFB7hM0xB3BDCj8vCcknXcjwAAAB+ZGlmZmllLWhlbGxtYW4tZ3JvdXAtZXhjaGFuZ2Utc2hhMjU2LGRpZmZpZS1oZWxsbWFuLWdyb3VwLWV4Y2hhbmdlLXNoYTEsZGlmZmllLWhlbGxtYW4tZ3JvdXAxNC1zaGExLGRpZmZpZS1oZWxsbWFuLWdyb3VwMS1zaGExAAAAD3NzaC1yc2Esc3NoLWRzcwAAAJ1hZXMxMjgtY3RyLGFlczE5Mi1jdHIsYWVzMjU2LWN0cixhcmNmb3VyMjU2LGFyY2ZvdXIxMjgsYWVzMTI4LWNiYywzZGVzLWNiYyxibG93ZmlzaC1jYmMsY2FzdDEyOC1jYmMsYWVzMTkyLWNiYyxhZXMyNTYtY2JjLGFyY2ZvdXIscmlqbmRhZWwtY2JjQGx5c2F0b3IubGl1LnNlAAAAnWFlczEyOC1jdHIsYWVzMTkyLWN0cixhZXMyNTYtY3RyLGFyY2ZvdXIyNTYsYXJjZm91cjEyOCxhZXMxMjgtY2JjLDNkZXMtY2JjLGJsb3dmaXNoLWNiYyxjYXN0MTI4LWNiYyxhZXMxOTItY2JjLGFlczI1Ni1jYmMsYXJjZm91cixyaWpuZGFlbC1jYmNAbHlzYXRvci5saXUuc2UAAABpaG1hYy1tZDUsaG1hYy1zaGExLHVtYWMtNjRAb3BlbnNzaC5jb20saG1hYy1yaXBlbWQxNjAsaG1hYy1yaXBlbWQxNjBAb3BlbnNzaC5jb20saG1hYy1zaGExLTk2LGhtYWMtbWQ1LTk2AAAAaWhtYWMtbWQ1LGhtYWMtc2hhMSx1bWFjLTY0QG9wZW5zc2guY29tLGhtYWMtcmlwZW1kMTYwLGhtYWMtcmlwZW1kMTYwQG9wZW5zc2guY29tLGhtYWMtc2hhMS05NixobWFjLW1kNS05NgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxpYgAAABpub25lLHpsaWJAb3BlbnNzaC5jb20semxpYgAAAAAAAAAAAAAAAAAAAAAAAAAAAA==","packet_info":{"linktype":1}}

Is any option to get this match right? or can you share your thoughts about possible ways to handle this case?

[lucaderi]

Please paste a pcap file I can use for testing

[vpiserchia]

source: https://packettotal.com/app/analysis?id=c37c0d3084675ed9b9d63a4e5e50e8da&name=signature_alerts c37c0d3084675ed9b9d63a4e5e50e8da.pcap.zip

[vpiserchia]

Hi all, any news about this?

[utoni]

This issue can be solved either via a risk or a protocol detection (or both).

[utoni]

Hi @vpiserchia. Can you please verify if the detection works? Check for the NDPI_MALFORMED_PACKET risk. Do you also know which tunnel software was used?

[vpiserchia]

@utoni I'm sorry but this is a PCAP downloaded from packettotal, I have no idea how it was created. Anyhow I think this can be closed as this reported with risk associated.