TCP Stealth Scan Display Filter

Question

I am trying to come up with a display filter to help detect TCP Stealth Scans (or "Half-Open" scans).

Since those are usually characterized by three packets: SYN - SYN/ACK - RST

I'm trying the filter:

tcp.stream && (tcp.flags.syn == 1 || tcp.flags.reset == 1)

It seems to be working somewhat - but I'm not sure if that is the correct use of the tcp.stream primitive. Is there a better way to identify patterns across multiple packets?

My Thanks...

Answer 1

0

This will not work, Wireshark display filters work on a per packet basis. You might be able to achieve what you want with LUA or MATE, which both can be used to "keep state" and filter on the result.

The field tcp.stream is just an index to an individual TCP session (stream) and will always be true for tcp packets.

You might be able to get what you want by looking more closely at the RST packets and use the (relative) sequence and acknowledgment numbers to get what you want. Also the tcp.flags.ack field might be important in distinguishing the different causes for a TCP RST.

answered 03 Apr '11, 09:06

SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%

edited 03 Apr '11, 09:09

Hmmm... Ok. I was not aware exactly how tcp.stream worked.

On further testing using tcp.flags.reset == 1 || tcp.flags.ack == 1 without the tcp.stream seems to give me identical results.

Not exactly what I was looking for - but it certainly narrows the search.

My Thanx!

(03 Apr '11, 10:28) kpalmgren

(I converted your "answer" to a "comment", as this is how the Q&A site works best, see the FAQ)

Actually, I did not mean you to use the filter "tcp.flags.reset==1 || tcp.flags.ack==1" as that will give you also all the proper tcp communications. What I meant was to look for a pattern in the ACK flag, the SEQ field and the ACK field of the TCP RST packets to find a pattern that matches all TCP RST packets due to the stealth scan.

(03 Apr '11, 13:41) SYN-bit ♦♦

I just tested it and when I spoof a SYN, the SYN/ACK to the spoofed IP, causes this system to send a RST with the ACK flag not set and the SEQ = 1. A TCP SYN to a closed port causes the ACK flag to be set in the resulting TCP RST and a TCP RST in the middle of a session should have a valid SEQ field according to the TCP RFC (ie the relative sequence number should not be one). This means a filter like:

"tcp.flags.reset==1 && tcp.flags.ack==0 && tcp.seq==1"

(OK, this filter can have false positives, but I think you will get quite a good result with it to start with)

(03 Apr '11, 13:46) SYN-bit ♦♦

Answer 2

Thanks to a friend of mine, I can provide a follow-up to this post. If you create the mate script below - then go to Edit | Preferences -> expand Protocols and type Mate to get to the Mate configuration screen. Enter the absolute path to your mate script file.

Then with that in place, you can use this filter to see TCP conversations consisting of exactly 3 packets (a signature of a TCP stealth scan):

mate.tcp_conversations.NumOfPdus == 3

To see TCP conversations of 4 packets (indicator of a full-open port scan) use

mate.tcp_conversations.NumOfPdus == 4

==== snip - Mate script below ===

Pdu tcp_pdu Proto tcp Transport ip {
        Extract addr From ip.addr; 
        Extract port From tcp.port;
    Extract tcp_seq From tcp.seq;
    Extract tcp_start From tcp.flags.syn;
    Extract tcp_stop From tcp.flags.fin;
    Extract tcp_stop From tcp.flags.reset;
};
Gop tcp_conversations On tcp_pdu Match (addr, addr, port, port) {
Start (tcp_start = 1);
Stop (tcp_stop = 1);
};
Done;