NNM Can Match "Previous" Packets
NNM allows matching on patterns in the current packet as well as patterns in the previous packet in the current session. This plugin shows how we can make use of this feature to determine if a Unix password file is sent by a web server:
name=Password file obtained by HTTP (GET)
description=It seems that a Unix password file was sent by the remote web server when the following request was made :\n%P\nWe saw : \n%L
Here we see
match patterns for a root entry in a Unix password file. We also see
pmatch patterns that match against a packet that makes an HTTP GET request to a web server. The
match patterns apply the current packet in a session and the
pmatch patterns apply to the packet that was captured immediately before the one in the current session. To explain this visually, we are looking for occurrences of the following:
GET / HTTP/1.*
1) client -------------------------> server:port 80
Contents of password file:
2) client <------------------------- server:port 80
match pattern would focus on the contents in packet 2) and our
pmatch pattern would focus on packet 1) payload contents.
NNM Can Match Binary Data
NNM also allows matching against binary patterns. Here is an example plugin that makes use of binary pattern matching to detect the usage of the well-known community string “public” in SNMPv1 response packets (The “#” is used to denote a comment):
# SNMPv1 response
# Matches on the following:
# 0x30 - ASN.1 header
# 0x02 0x01 0x00 - (integer) (byte length) (SNMP version - 1)
# 0x04 0x06 public - (string) (byte length) (community string - "public")
# 0xa2 - message type - RESPONSE
# 0x02 0x01 0x00 - (integer) (byte length) (error status - 0)
# 0x02 0x01 0x00 - (integer) (byte length) (error index - 0)
name=SNMP public community string
description=The remote host is running an SNMPv1 server that uses a well-known community string - public
Binary match patterns take the following form:
Binary match starts at <off>’th offset of the packet or at the last <offset> of the packet, depending on the use of > (start) or < (end). <hex> is a hex string we look for.
This matches any packet whose last four bytes are set to 0xFFFFFFFF.
This matches any packet that contains the string “AAAA” (0x41414141 in hex) starting at its fourth byte.
This matches any packet that contains the hex string above.
NNM plugins can also be negated. Here are two examples:
In each of these cases, the plugin does not match if the patterns contained in these “not” statements are present. For example, in the first
pmatch statement, if the pattern named “pattern” is present, then the plugin does not match. In the second statement, the binary pattern of “AAA” (the letter “A” in ASCII hex is 0x41) only matches if it does not present the first three characters.