SlideShare una empresa de Scribd logo

SnortUsersWebcast-Rules_pt2

Liễu Hồng
Liễu Hồng

SnortUsersWebcast-Rules_pt2

Tecnología
1 de 38
Descargar para leer sin conexión
Performance Rules Creation Part 2: Rules Options and Techniques
What madness today? Learn by reviewing actual VRT published rules Highlight potential issues with certain rule options Break down some common rule constructs • Buffer overflow detection • Protocol decoding Abuse a VRT team member with the “replace” functionality 2
What is a DQOH? Matthew Olney (irc nick: dqoh) VRT Security Analyst for 2 years Primary Responsibilities: • Snort rules generation • QA for SEU and VRT rules feed • Agent of Karma Past life: • Network and Security Engineer • Cisco • Snort • Open source security products 3
VRT Rule Examples
Strap In, the Bus is Leaving This topic could be a multi-day course (and, in some cases it is) So I’m assuming: • You’ve seen rules and know generally how they are laid out • You can reference the Snort Users Manual for general rules question (I’ll cite sections as appropriate) And I’m providing: • Non-obvious information on rules options • Usage cases from real snort rules • Information on rules options as they occur Don’t Panic 5
Example 1: Content based buffer overflow checks alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"EXPLOIT Alt-N SecurityGateway username buffer overflow attempt"; flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450; metadata:policy balancedips drop, policy connectivity-ips drop, policy securityips drop; reference:url,secunia.com/advisories/30497/; classtype:attempted-admin; sid:13916; rev:2;) 6
Bus Stop: Content Option Content can be modified as non-relative: • Content:”A”; depth: 3; offset: 2; • Move 2 bytes into the payload and look for “A” within the next 3 bytes. Content can be modified as relative: • Relative matches are made from the DOE pointer (Usually the end of the previous match) • Content:”A”; Content: “B”; distance: 4; within: 5; • Find “A”. Then move 4 bytes from the end of “A” and find “B” within the next 5 bytes. Content can be negative (that is alert if this isn’t seen): • Content:!”A”; depth: 3; offset: 2; Content can be made case insensitive using the nocase; modifier. Check out sections 3.5.1 – 3.5.7 in the Snort Users Manual for more information. 7
Bus Stop: DOE & relative content example Relative contents use the DOE pointer • Content:”ABC”; • Places DOE after C • Content: “X”; distance: 2; within: 5; • Moves the pointer 2 bytes (First black arrow) • Looks at the next 5 bytes for an “X” (Orange arrow) • Places the DOE pointer after the X (red arrow) After first content match A B C X Second content match X 00 03 X Y Final DOE location 8 Z
Example 1: Buffer Overflow Detection (sid: 13916) (flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450;) flow: established, to_server; • Used to reduce false positives and improve performance. • Flow is fairly straight forward, but check out Section 3.6.9 for full details content:”username=“; • Has the “nocase” modification to allow for any type of match • pattern can be anywhere in the payload. This pattern match will be the anchor for the rest of our detection 9
Example 1: Isdataat usage… (flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450;) For content:!””; checks involving buffer overflows, we need to make sure the data is there to be checked. • Negative content matches look for the absence of data, so even if • • we run out of data, we still are successful isdataat: verifies that there is data within the specified distance. The check can be relative or non-relative Format is: isdataat:<int>[,relative]; • Check out section 3.5.12 for more information on isdataat: isdataat: 450, relative; • The anchor (username=) is not at a fixed location, so we must make the size check relative to this match • Relative keywords makes the 450 byte check from the DOE. 10 10
Example 1, continued (flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450;) We have now verified that: • The traffic is directed to a server, and the TCP session is established • The string “username=“ is in the payload • That there is sufficient space for the attack to be delivered For this protocol on this server, there are two terminating characters, “&” and line feed (LF) x0A. We need to check that neither occur within the next 450 bytes: • content:!"&"; within:450; • content:!"|0A|"; within:450; If we, from the anchor point (username=), have 450 bytes available, and we don’t reach any terminating characters, then we will alert 11 11
Bus Stop: dsize dsize tests the payload size • format: dsize: [<>] <number> [<><number]; • dsize: 300<>400 You might be tempted to use dsize, rather than isdataat as a size test for buffer overflows. (Spoiler: Don’t do this) • dsize automatically bails on any packet that is part of a reassembled stream. • This leads to a false-negative situation for certain buffer overflow attacks delivered over more than one packet. • Dsize does not handle relative checks dsize is designed to test abnormally sized packets, and isdataat should be used for all other purposes. 12 12
Example 2: PCRE buffer overflow checks alert tcp $EXTERNAL_NET any -> $HOME_NET 13782 (msg:"EXPLOIT Symantec NetBackup connect_options buffer overflow attempt"; flow:established,to_server; content:"CONNECT_OPTIONS="; nocase; isdataat:900,relative; pcre:"/CONNECT_OPTIONSx3D[^x20x0Ax0Dx00]{ 900}/smi"; reference:bugtraq,21565; reference:cve,2006-6822; classtype:attempted-admin; sid:9813; rev:2;) 13 13
Example 2: Buffer Overflow Detection (sid: 9813) (flow:established,to_server; content:"CONNECT_OPTIONS="; nocase; isdataat:900,relative; pcre:"/CONNECT_OPTIONSx3D[^x20x0Ax0Dx00]{900}/smi";) content:”CONNECT_OPTIONS=“; nocase; • nocase argument indicates that the pattern can be matched in any combination of either lower or upper case characters. isdatat:900,relative; • Again, staring at the DOE, verify that there are 900 bytes available for detection • Note, this is not required for PCRE as it is for negative content checks. • • Content:!”A”; within: 40; checks for the absence of an A in 40 bytes, or end of packet. pcre:”/[^A]{40}/”; looks for 40 consecutive characters that are not “A”. • This check provides for speed, in the case where there is not sufficient payload left for the buffer overflow attack to happen, we bail on this check, rather than calling PCRE for no reason. • Always find ways to bail before running a PCRE Now, about that PCRE (remember, don’t panic…) 14 14
Example 2, continued pcre:"/CONNECT_OPTIONSx3D[^x20x0Ax0Dx00]{900}/smi";) This is actually a fairly straight forward example of pcre: The format is pcre:”/REGEX/modifiers”; The x statement means you are providing a hexadecimal number to check • • • • • x3d is the ascii code for “=“ x20 is the ascii code for space x0a is the ascii code for line feed x0d is the ascii code for carriage return x00 is the null byte The [^x20x0Ax0dx00] is a character class declaration, and the ‘^’ means not. That is, PCRE is instructed to match on characters that are not in this class. The {900} means do this match 900 times, so find 900 characters that are not in the character class. 15 15
Example 2, final notes /smi • i = case insensitive search • s = include newlines in the dot (.) metacharacter • m = metacharacters ^ and $ can match before and after a newline, as well as the beginning and the end of the buffer • Check 3.5.13 for more modifiers PCRE can do some powerful things • And computationally expensive • And easy to mess up • Make sure you run it only when you have to • Test your pcre (pcretest) and optimize. • Then do it again. 16 16
Example 3: Buffer overflow detection with byte_test alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:18;) 17 17
Example 3: Content and the fast pattern matcher flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; Three four-byte patterns are in this rule. • The rule writer chose a specific sequence to speed up detection. content:"|00 01 87 99|"; depth:4; offset:16; • Absolute 4 byte match, placed at beginning for more unique “longest, first match” content:"|00 00 01 01|"; within:4; distance:4; • Relative to the previous match. Note that this could also have been depth: 4; offset: 24; instead. • Will act as the anchor for our other detection content:"|00 00 00 00|"; depth:4; offset:8; • Will be the final validation that our packet is an attack. 18 18
Bus Stop: byte_jump Usage: • byte_jump: <bytes_to_convert>, <offset> [,relative] [,multiplier <multiplier value>] [,big] [,little][,string][,hex] [,dec] [,oct] [,align] [,from_beginning]; • Check out 3.5.15 for details. By way of example: • Content:”ABC”; • Places DOE after C • Byte_Jump: 2, 2, relative; • Moves the pointer 2 bytes (First black arrow) • Reads two bytes • Jumps from the end of the read (Second black arrow) After Content A 19 19 B C X relative byte jump X 00 03 Final DOE Location X Y Z
Example 3: Protocol parsing with byte_jump byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; Byte jump is often used to parse length encoded data. Here we have two dynamically sized data fields we need to jump over to find the data we need (the same byte_jump structure is used for both data blocks): • 4 bytes are read starting 4 bytes from the DOE. • This protocol requires that data be stored on 4-byte boundaries. The • • ‘align’ keyword tells snort to round jumps as necessary to handle this. The DOE is then moved the calculated number of bytes This process is repeated to jump over the second dynamically sized data field. By decoding the protocol we are now 20 bytes from a 4 byte size field that declares how large the target field is. 20 20
Bus Stop: byte_test Usage: • byte_test: <bytes to convert>, [!]<operator>, <value>, <offset> [,relative] [,<endian>] [,<number type>, string]; • Section 3.5.14 details the byte_test option. By way of example: • Content:”ABC”; • Places DOE after C • Byte_test: 2, <, 4, 2, relative; • • • • Moves the pointer 2 bytes (First black arrow) Reads two bytes If the byte read is less than four, then the check is passed. Note: The DOE does not move. After Content A 21 21 B C X byte_test read X 00 03 X Y Z
Example 3: Detecting the overflow byte_test:4,>,1024,20,relative; Using anchored content matches and a sequence of byte_jumps, we now know we are 20 bytes from the target size field. Our research shows that if that field is greater than 1024, then the provided data will overflow a buffer in memory. We use the above byte test to make the check: • Read 4 bytes as a number, starting 20 bytes from the DOE • If that number is greater than 1024, an attack most likely is underway 22 22
Example 4: Kaminsky DNS Bug detection alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS large number of NXDOMAIN replies possible DNS cache poisoning"; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; threshold:type threshold, track by_src, count 200, seconds 30; metadata:policy balanced-ips alert, policy security-ips alert, service dns; reference:cve,2008-1447; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13948; rev:2;) 23 23
Example 4: Detection notes for the Kaminsky Bug A fairly in-depth technical review of both the bug itself and the detection methodology is available on the vrt white papers page: • http://www.snort.org/vrt/docs/white_papers/ In short, the detection looks for ‘backscatter’ • Backscatter is the legitimate traffic that is formed in • 24 24 response to attack traffic The attack floods a server with random requests, and the legitimate servers will send a flood of NXDOMAIN (i.e. I have no idea what you’re talking about…) responses.
Example 4: Kaminsky Bug (sid: 13948) byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; threshold:type threshold, track by_src, count 200, seconds 30; byte_test:1,&,2,3; • byte_test: <bytes to convert>, [!]<operator>, <value>, <offset> [,relative] [,<endian>] [,<number type>, string]; 25 25
Example 4: Why 3 separate byte_tests? Byte_test: 1, &, 3, 3; • On any byte_test, a non-zero response is a success, so all three cases below will pass the byte test, even though only the case with both flags set is correct Both flags set First flag set Second flag set Packet Value 00000011 00000001 00000010 Byte_test Value 00000011 00000011 00000011 Result 00000011 00000001 00000010 The proper approach is to check both values: • byte_test: 1, &, 2, 3; • byte_test: 1, &, 1, 3; The final byte_test ensures the packet is a response: • byte_test:1,&,128,2; 26 26
Example 4: Thresholding threshold:type threshold, track by_src, count 200, seconds 30; Thresholding is commonly used while tuning the IDS. Thresholding is discussed in section 3.8 of the Snort Users Manual • First packet starts the window • Each additional packet checks for expiration and increments the counter The thresholding is actually a critical part of the detection methodology: • The actual attack would generate a huge volume of legitimate NXDOMAIN responses. In this case, we are looking for 200 NXDOMAIN responses within a 30 second window. 27 27
Example 4: Thresholding threshold:type threshold, track by_src, count 200, seconds 30; In this case, we are looking for 200 NXDOMAIN responses within a 30 second window. The thresholding is actually a critical part of the detection methodology: • The actual attack would generate a huge volume of legitimate NXDOMAIN responses. Thresholding is discussed in section 3.8 of the Snort Users Manual • First packet starts the window • Each additional packet checks for expiration and increments the counter 28 28
Example 5: Let’s mess with Alex This is Alex! Alex is one of the rule writers here in the VRT Alex spends some of his free time as a webmaster for the Mars Society We love Alex We love to mess with people. 29 29
Example 5: The goal… Targeting only Alex’s computer, let’s replace the banner on the Mars Society website with one of our choosing. 30 30
Example 5: In a javascript file… First we need to figure out how the image is being delivered. So by looking through some packet captures, we came across this gem... We need to replace: • http://www.marssociety.org/port al/logo.jpg • With a file of our choosing... 31 31 #portal-logo { background: url(http://www.marssociety.org/ portal/logo.jpg) no-repeat; border: 0; margin: 0.75em 0em 0.75em 1.5em; padding: 0; }
Example 5: Content/Replace alert tcp $EXTERNAL_NET $HTTP_PORTS -> $ALEXPC any (msg:”WE THINK ITS FUNNY”; flow: established, to _client; content:”http://www.marssociety.org/portal/logo.jpg”; replace:”http://vrt-app-01/imagemakeevenlongerr.jpg”; classtype: successful-dos; sid: 100001;) This rule replaces any instance of the logo.jpg string inbound to Alex’s box with the link to our file (hosted on a local box). • Filename was modified to satisfy the equality of length requirement. • This replace causes Alex’s browser to request the modified banner and then insert it into the presented webpage. Notes on the replace keyword: • Detailed in section 1.5.3 of the Snort Users Manual • The only thing to remember is the replace content must match the length of the content it is replacing. 32 32
Example 5: Well, we thought it was funny… Before 33 33 After
Example 5: Disclaimer All modifications were done to traffic just before it reached Alex’s computer No exploits or attacks were used, only the functionality of the Snort engine We had advanced approval 34 34
Questions? If you have questions in general: • snort-sigs mailing list • snort-users mailing list • #snort on freenode irc • research@sourcefire.com If you have questions or comments on this presentation: • molney@sourcefire.com 35 35
Sourcefire Commercial Products Sourcefire 3D™ System Sourcefire 3D Sensors • Sourcefire IPS™ • Sourcefire RNA™ • Sourcefire RUA™ • Sourcefire NetFlow Analysis Sourcefire Defense Center™ Sourcefire Intrusion Agent for Snort 36 36
For More Information… Sourcefire 3D System Flash Demo “Extending Your Investment in Snort” Technology Brief Available Now on Sourcefire.com 37 37
Questions? Please submit questions via the Q&A interface in the lower-right corner of your screen. 38 38

Recomendados

anti-ddos GNTC based on P4 /BIH
anti-ddos GNTC based on P4 /BIHanti-ddos GNTC based on P4 /BIH
anti-ddos GNTC based on P4 /BIHLeo Chu
 
Seven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward SecrecySeven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward SecrecyOleg Gryb
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3Nutan Kumar Panda
 
Socket Programming it-slideshares.blogspot.com
Socket Programming it-slideshares.blogspot.comSocket Programming it-slideshares.blogspot.com
Socket Programming it-slideshares.blogspot.comphanleson
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsDigitalOcean
 
Grape generative fuzzing
Grape generative fuzzingGrape generative fuzzing
Grape generative fuzzingFFRI, Inc.
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 

Recomendados

anti-ddos GNTC based on P4 /BIH
anti-ddos GNTC based on P4 /BIHanti-ddos GNTC based on P4 /BIH
anti-ddos GNTC based on P4 /BIHLeo Chu
 
Seven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward SecrecySeven Grades of Perfect Forward Secrecy
Seven Grades of Perfect Forward SecrecyOleg Gryb
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNSC #2 - D2 06 - Richard Johnson - SAGEly Advice
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3Nutan Kumar Panda
 
Socket Programming it-slideshares.blogspot.com
Socket Programming it-slideshares.blogspot.comSocket Programming it-slideshares.blogspot.com
Socket Programming it-slideshares.blogspot.comphanleson
 
How to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsHow to Leverage Go for Your Networking Needs
How to Leverage Go for Your Networking NeedsDigitalOcean
 
Grape generative fuzzing
Grape generative fuzzingGrape generative fuzzing
Grape generative fuzzingFFRI, Inc.
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
 
Npc08
Npc08Npc08
Npc08vamsitricks
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpcJohnny Pork
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programmingKristian Arjianto
 
Socket programing
Socket programingSocket programing
Socket programingPankil Agrawal
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dnspantu_1961
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
More on Lex
More on LexMore on Lex
More on LexTech_MX
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
Udp socket programming(Florian)
Udp socket programming(Florian)Udp socket programming(Florian)
Udp socket programming(Florian)Flor Ian
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Socket programming
Socket programmingSocket programming
Socket programmingAnurag Tomar
 
Networking & Socket Programming In Java
Networking & Socket Programming In JavaNetworking & Socket Programming In Java
Networking & Socket Programming In JavaAnkur Agrawal
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in CDeepak Swain
 
Extending ns
Extending nsExtending ns
Extending nsyogiinmood
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
The CppCat Analyzer Checks TortoiseGit
The CppCat Analyzer Checks TortoiseGitThe CppCat Analyzer Checks TortoiseGit
The CppCat Analyzer Checks TortoiseGitAndrey Karpov
 

Más contenido relacionado

La actualidad más candente

Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpcJohnny Pork
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
More on Lex
More on LexMore on Lex
More on LexTech_MX
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
Udp socket programming(Florian)
Udp socket programming(Florian)Udp socket programming(Florian)
Udp socket programming(Florian)Flor Ian
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Socket programming
Socket programmingSocket programming
Socket programmingAnurag Tomar
 
Networking & Socket Programming In Java
Networking & Socket Programming In JavaNetworking & Socket Programming In Java
Networking & Socket Programming In JavaAnkur Agrawal
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in CDeepak Swain
 

La actualidad más candente (20)

Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
 
Npc08
Npc08Npc08
Npc08
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpc
 
Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
 
Socket programing
Socket programingSocket programing
Socket programing
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
More on Lex
More on LexMore on Lex
More on Lex
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Udp socket programming(Florian)
Udp socket programming(Florian)Udp socket programming(Florian)
Udp socket programming(Florian)
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
 
Socket programming
Socket programmingSocket programming
Socket programming
 
Networking & Socket Programming In Java
Networking & Socket Programming In JavaNetworking & Socket Programming In Java
Networking & Socket Programming In Java
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in C
 
Extending ns
Extending nsExtending ns
Extending ns
 

Similar a SnortUsersWebcast-Rules_pt2

Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
The CppCat Analyzer Checks TortoiseGit
The CppCat Analyzer Checks TortoiseGitThe CppCat Analyzer Checks TortoiseGit
The CppCat Analyzer Checks TortoiseGitAndrey Karpov
 
Cryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptxCryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptxShivaprasad787526
 
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderA Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderAndrey Karpov
 
Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Andrey Karpov
 
Rechecking Apache HTTP Server
Rechecking Apache HTTP ServerRechecking Apache HTTP Server
Rechecking Apache HTTP ServerPVS-Studio
 
Linux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioLinux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioPVS-Studio
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCSheetal Dolas
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects Andrey Karpov
 
Buffer Overflow Countermeasures, DEP, Security Assessment
Buffer Overflow Countermeasures, DEP, Security AssessmentBuffer Overflow Countermeasures, DEP, Security Assessment
Buffer Overflow Countermeasures, DEP, Security AssessmentAmar Myana
 
Rechecking TortoiseSVN with the PVS-Studio Code Analyzer
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerRechecking TortoiseSVN with the PVS-Studio Code Analyzer
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerAndrey Karpov
 
Static Code Analysis and Cppcheck
Static Code Analysis and CppcheckStatic Code Analysis and Cppcheck
Static Code Analysis and CppcheckZachary Blair
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projectsPVS-Studio
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017Andrey Karpov
 
Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)Peter Breuer
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis ExperienceAndrey Karpov
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Rodolpho Concurde
 
¡El mejor lenguaje para automatizar pruebas!
¡El mejor lenguaje para automatizar pruebas!¡El mejor lenguaje para automatizar pruebas!
¡El mejor lenguaje para automatizar pruebas!Antonio Robres Turon
 

Similar a SnortUsersWebcast-Rules_pt2 (20)

Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
The CppCat Analyzer Checks TortoiseGit
The CppCat Analyzer Checks TortoiseGitThe CppCat Analyzer Checks TortoiseGit
The CppCat Analyzer Checks TortoiseGit
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019
 
Cryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptxCryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptx
 
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderA Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
 
Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities? Static analysis: looking for errors ... and vulnerabilities?
Static analysis: looking for errors ... and vulnerabilities?
 
Rechecking Apache HTTP Server
Rechecking Apache HTTP ServerRechecking Apache HTTP Server
Rechecking Apache HTTP Server
 
Linux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-StudioLinux Kernel, tested by the Linux-version of PVS-Studio
Linux Kernel, tested by the Linux-version of PVS-Studio
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOC
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects 100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Buffer Overflow Countermeasures, DEP, Security Assessment
Buffer Overflow Countermeasures, DEP, Security AssessmentBuffer Overflow Countermeasures, DEP, Security Assessment
Buffer Overflow Countermeasures, DEP, Security Assessment
 
Rechecking TortoiseSVN with the PVS-Studio Code Analyzer
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerRechecking TortoiseSVN with the PVS-Studio Code Analyzer
Rechecking TortoiseSVN with the PVS-Studio Code Analyzer
 
Static Code Analysis and Cppcheck
Static Code Analysis and CppcheckStatic Code Analysis and Cppcheck
Static Code Analysis and Cppcheck
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
 
Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)Open Source Verification under a Cloud (OpenCert 2010)
Open Source Verification under a Cloud (OpenCert 2010)
 
200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience200 Open Source Projects Later: Source Code Static Analysis Experience
200 Open Source Projects Later: Source Code Static Analysis Experience
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
 
¡El mejor lenguaje para automatizar pruebas!
¡El mejor lenguaje para automatizar pruebas!¡El mejor lenguaje para automatizar pruebas!
¡El mejor lenguaje para automatizar pruebas!
 

Último

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Último (20)

(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

SnortUsersWebcast-Rules_pt2

  • 1. Performance Rules Creation Part 2: Rules Options and Techniques
  • 2. What madness today? Learn by reviewing actual VRT published rules Highlight potential issues with certain rule options Break down some common rule constructs • Buffer overflow detection • Protocol decoding Abuse a VRT team member with the “replace” functionality 2
  • 3. What is a DQOH? Matthew Olney (irc nick: dqoh) VRT Security Analyst for 2 years Primary Responsibilities: • Snort rules generation • QA for SEU and VRT rules feed • Agent of Karma Past life: • Network and Security Engineer • Cisco • Snort • Open source security products 3
  • 5. Strap In, the Bus is Leaving This topic could be a multi-day course (and, in some cases it is) So I’m assuming: • You’ve seen rules and know generally how they are laid out • You can reference the Snort Users Manual for general rules question (I’ll cite sections as appropriate) And I’m providing: • Non-obvious information on rules options • Usage cases from real snort rules • Information on rules options as they occur Don’t Panic 5
  • 6. Example 1: Content based buffer overflow checks alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"EXPLOIT Alt-N SecurityGateway username buffer overflow attempt"; flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450; metadata:policy balancedips drop, policy connectivity-ips drop, policy securityips drop; reference:url,secunia.com/advisories/30497/; classtype:attempted-admin; sid:13916; rev:2;) 6
  • 7. Bus Stop: Content Option Content can be modified as non-relative: • Content:”A”; depth: 3; offset: 2; • Move 2 bytes into the payload and look for “A” within the next 3 bytes. Content can be modified as relative: • Relative matches are made from the DOE pointer (Usually the end of the previous match) • Content:”A”; Content: “B”; distance: 4; within: 5; • Find “A”. Then move 4 bytes from the end of “A” and find “B” within the next 5 bytes. Content can be negative (that is alert if this isn’t seen): • Content:!”A”; depth: 3; offset: 2; Content can be made case insensitive using the nocase; modifier. Check out sections 3.5.1 – 3.5.7 in the Snort Users Manual for more information. 7
  • 8. Bus Stop: DOE & relative content example Relative contents use the DOE pointer • Content:”ABC”; • Places DOE after C • Content: “X”; distance: 2; within: 5; • Moves the pointer 2 bytes (First black arrow) • Looks at the next 5 bytes for an “X” (Orange arrow) • Places the DOE pointer after the X (red arrow) After first content match A B C X Second content match X 00 03 X Y Final DOE location 8 Z
  • 9. Example 1: Buffer Overflow Detection (sid: 13916) (flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450;) flow: established, to_server; • Used to reduce false positives and improve performance. • Flow is fairly straight forward, but check out Section 3.6.9 for full details content:”username=“; • Has the “nocase” modification to allow for any type of match • pattern can be anywhere in the payload. This pattern match will be the anchor for the rest of our detection 9
  • 10. Example 1: Isdataat usage… (flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450;) For content:!””; checks involving buffer overflows, we need to make sure the data is there to be checked. • Negative content matches look for the absence of data, so even if • • we run out of data, we still are successful isdataat: verifies that there is data within the specified distance. The check can be relative or non-relative Format is: isdataat:<int>[,relative]; • Check out section 3.5.12 for more information on isdataat: isdataat: 450, relative; • The anchor (username=) is not at a fixed location, so we must make the size check relative to this match • Relative keywords makes the 450 byte check from the DOE. 10 10
  • 11. Example 1, continued (flow:established, to_server; content:"username="; nocase; isdataat:450,relative; content:!"&"; within:450; content:!"|0A|"; within:450;) We have now verified that: • The traffic is directed to a server, and the TCP session is established • The string “username=“ is in the payload • That there is sufficient space for the attack to be delivered For this protocol on this server, there are two terminating characters, “&” and line feed (LF) x0A. We need to check that neither occur within the next 450 bytes: • content:!"&"; within:450; • content:!"|0A|"; within:450; If we, from the anchor point (username=), have 450 bytes available, and we don’t reach any terminating characters, then we will alert 11 11
  • 12. Bus Stop: dsize dsize tests the payload size • format: dsize: [<>] <number> [<><number]; • dsize: 300<>400 You might be tempted to use dsize, rather than isdataat as a size test for buffer overflows. (Spoiler: Don’t do this) • dsize automatically bails on any packet that is part of a reassembled stream. • This leads to a false-negative situation for certain buffer overflow attacks delivered over more than one packet. • Dsize does not handle relative checks dsize is designed to test abnormally sized packets, and isdataat should be used for all other purposes. 12 12
  • 13. Example 2: PCRE buffer overflow checks alert tcp $EXTERNAL_NET any -> $HOME_NET 13782 (msg:"EXPLOIT Symantec NetBackup connect_options buffer overflow attempt"; flow:established,to_server; content:"CONNECT_OPTIONS="; nocase; isdataat:900,relative; pcre:"/CONNECT_OPTIONSx3D[^x20x0Ax0Dx00]{ 900}/smi"; reference:bugtraq,21565; reference:cve,2006-6822; classtype:attempted-admin; sid:9813; rev:2;) 13 13
  • 14. Example 2: Buffer Overflow Detection (sid: 9813) (flow:established,to_server; content:"CONNECT_OPTIONS="; nocase; isdataat:900,relative; pcre:"/CONNECT_OPTIONSx3D[^x20x0Ax0Dx00]{900}/smi";) content:”CONNECT_OPTIONS=“; nocase; • nocase argument indicates that the pattern can be matched in any combination of either lower or upper case characters. isdatat:900,relative; • Again, staring at the DOE, verify that there are 900 bytes available for detection • Note, this is not required for PCRE as it is for negative content checks. • • Content:!”A”; within: 40; checks for the absence of an A in 40 bytes, or end of packet. pcre:”/[^A]{40}/”; looks for 40 consecutive characters that are not “A”. • This check provides for speed, in the case where there is not sufficient payload left for the buffer overflow attack to happen, we bail on this check, rather than calling PCRE for no reason. • Always find ways to bail before running a PCRE Now, about that PCRE (remember, don’t panic…) 14 14
  • 15. Example 2, continued pcre:"/CONNECT_OPTIONSx3D[^x20x0Ax0Dx00]{900}/smi";) This is actually a fairly straight forward example of pcre: The format is pcre:”/REGEX/modifiers”; The x statement means you are providing a hexadecimal number to check • • • • • x3d is the ascii code for “=“ x20 is the ascii code for space x0a is the ascii code for line feed x0d is the ascii code for carriage return x00 is the null byte The [^x20x0Ax0dx00] is a character class declaration, and the ‘^’ means not. That is, PCRE is instructed to match on characters that are not in this class. The {900} means do this match 900 times, so find 900 characters that are not in the character class. 15 15
  • 16. Example 2, final notes /smi • i = case insensitive search • s = include newlines in the dot (.) metacharacter • m = metacharacters ^ and $ can match before and after a newline, as well as the beginning and the end of the buffer • Check 3.5.13 for more modifiers PCRE can do some powerful things • And computationally expensive • And easy to mess up • Make sure you run it only when you have to • Test your pcre (pcretest) and optimize. • Then do it again. 16 16
  • 17. Example 3: Buffer overflow detection with byte_test alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy balanced-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:18;) 17 17
  • 18. Example 3: Content and the fast pattern matcher flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; Three four-byte patterns are in this rule. • The rule writer chose a specific sequence to speed up detection. content:"|00 01 87 99|"; depth:4; offset:16; • Absolute 4 byte match, placed at beginning for more unique “longest, first match” content:"|00 00 01 01|"; within:4; distance:4; • Relative to the previous match. Note that this could also have been depth: 4; offset: 24; instead. • Will act as the anchor for our other detection content:"|00 00 00 00|"; depth:4; offset:8; • Will be the final validation that our packet is an attack. 18 18
  • 19. Bus Stop: byte_jump Usage: • byte_jump: <bytes_to_convert>, <offset> [,relative] [,multiplier <multiplier value>] [,big] [,little][,string][,hex] [,dec] [,oct] [,align] [,from_beginning]; • Check out 3.5.15 for details. By way of example: • Content:”ABC”; • Places DOE after C • Byte_Jump: 2, 2, relative; • Moves the pointer 2 bytes (First black arrow) • Reads two bytes • Jumps from the end of the read (Second black arrow) After Content A 19 19 B C X relative byte jump X 00 03 Final DOE Location X Y Z
  • 20. Example 3: Protocol parsing with byte_jump byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; Byte jump is often used to parse length encoded data. Here we have two dynamically sized data fields we need to jump over to find the data we need (the same byte_jump structure is used for both data blocks): • 4 bytes are read starting 4 bytes from the DOE. • This protocol requires that data be stored on 4-byte boundaries. The • • ‘align’ keyword tells snort to round jumps as necessary to handle this. The DOE is then moved the calculated number of bytes This process is repeated to jump over the second dynamically sized data field. By decoding the protocol we are now 20 bytes from a 4 byte size field that declares how large the target field is. 20 20
  • 21. Bus Stop: byte_test Usage: • byte_test: <bytes to convert>, [!]<operator>, <value>, <offset> [,relative] [,<endian>] [,<number type>, string]; • Section 3.5.14 details the byte_test option. By way of example: • Content:”ABC”; • Places DOE after C • Byte_test: 2, <, 4, 2, relative; • • • • Moves the pointer 2 bytes (First black arrow) Reads two bytes If the byte read is less than four, then the check is passed. Note: The DOE does not move. After Content A 21 21 B C X byte_test read X 00 03 X Y Z
  • 22. Example 3: Detecting the overflow byte_test:4,>,1024,20,relative; Using anchored content matches and a sequence of byte_jumps, we now know we are 20 bytes from the target size field. Our research shows that if that field is greater than 1024, then the provided data will overflow a buffer in memory. We use the above byte test to make the check: • Read 4 bytes as a number, starting 20 bytes from the DOE • If that number is greater than 1024, an attack most likely is underway 22 22
  • 23. Example 4: Kaminsky DNS Bug detection alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS large number of NXDOMAIN replies possible DNS cache poisoning"; byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; threshold:type threshold, track by_src, count 200, seconds 30; metadata:policy balanced-ips alert, policy security-ips alert, service dns; reference:cve,2008-1447; reference:url,www.kb.cert.org/vuls/id/800113; classtype:misc-attack; sid:13948; rev:2;) 23 23
  • 24. Example 4: Detection notes for the Kaminsky Bug A fairly in-depth technical review of both the bug itself and the detection methodology is available on the vrt white papers page: • http://www.snort.org/vrt/docs/white_papers/ In short, the detection looks for ‘backscatter’ • Backscatter is the legitimate traffic that is formed in • 24 24 response to attack traffic The attack floods a server with random requests, and the legitimate servers will send a flood of NXDOMAIN (i.e. I have no idea what you’re talking about…) responses.
  • 25. Example 4: Kaminsky Bug (sid: 13948) byte_test:1,&,2,3; byte_test:1,&,1,3; byte_test:1,&,128,2; threshold:type threshold, track by_src, count 200, seconds 30; byte_test:1,&,2,3; • byte_test: <bytes to convert>, [!]<operator>, <value>, <offset> [,relative] [,<endian>] [,<number type>, string]; 25 25
  • 26. Example 4: Why 3 separate byte_tests? Byte_test: 1, &, 3, 3; • On any byte_test, a non-zero response is a success, so all three cases below will pass the byte test, even though only the case with both flags set is correct Both flags set First flag set Second flag set Packet Value 00000011 00000001 00000010 Byte_test Value 00000011 00000011 00000011 Result 00000011 00000001 00000010 The proper approach is to check both values: • byte_test: 1, &, 2, 3; • byte_test: 1, &, 1, 3; The final byte_test ensures the packet is a response: • byte_test:1,&,128,2; 26 26
  • 27. Example 4: Thresholding threshold:type threshold, track by_src, count 200, seconds 30; Thresholding is commonly used while tuning the IDS. Thresholding is discussed in section 3.8 of the Snort Users Manual • First packet starts the window • Each additional packet checks for expiration and increments the counter The thresholding is actually a critical part of the detection methodology: • The actual attack would generate a huge volume of legitimate NXDOMAIN responses. In this case, we are looking for 200 NXDOMAIN responses within a 30 second window. 27 27
  • 28. Example 4: Thresholding threshold:type threshold, track by_src, count 200, seconds 30; In this case, we are looking for 200 NXDOMAIN responses within a 30 second window. The thresholding is actually a critical part of the detection methodology: • The actual attack would generate a huge volume of legitimate NXDOMAIN responses. Thresholding is discussed in section 3.8 of the Snort Users Manual • First packet starts the window • Each additional packet checks for expiration and increments the counter 28 28
  • 29. Example 5: Let’s mess with Alex This is Alex! Alex is one of the rule writers here in the VRT Alex spends some of his free time as a webmaster for the Mars Society We love Alex We love to mess with people. 29 29
  • 30. Example 5: The goal… Targeting only Alex’s computer, let’s replace the banner on the Mars Society website with one of our choosing. 30 30
  • 31. Example 5: In a javascript file… First we need to figure out how the image is being delivered. So by looking through some packet captures, we came across this gem... We need to replace: • http://www.marssociety.org/port al/logo.jpg • With a file of our choosing... 31 31 #portal-logo { background: url(http://www.marssociety.org/ portal/logo.jpg) no-repeat; border: 0; margin: 0.75em 0em 0.75em 1.5em; padding: 0; }
  • 32. Example 5: Content/Replace alert tcp $EXTERNAL_NET $HTTP_PORTS -> $ALEXPC any (msg:”WE THINK ITS FUNNY”; flow: established, to _client; content:”http://www.marssociety.org/portal/logo.jpg”; replace:”http://vrt-app-01/imagemakeevenlongerr.jpg”; classtype: successful-dos; sid: 100001;) This rule replaces any instance of the logo.jpg string inbound to Alex’s box with the link to our file (hosted on a local box). • Filename was modified to satisfy the equality of length requirement. • This replace causes Alex’s browser to request the modified banner and then insert it into the presented webpage. Notes on the replace keyword: • Detailed in section 1.5.3 of the Snort Users Manual • The only thing to remember is the replace content must match the length of the content it is replacing. 32 32
  • 33. Example 5: Well, we thought it was funny… Before 33 33 After
  • 34. Example 5: Disclaimer All modifications were done to traffic just before it reached Alex’s computer No exploits or attacks were used, only the functionality of the Snort engine We had advanced approval 34 34
  • 35. Questions? If you have questions in general: • snort-sigs mailing list • snort-users mailing list • #snort on freenode irc • research@sourcefire.com If you have questions or comments on this presentation: • molney@sourcefire.com 35 35
  • 36. Sourcefire Commercial Products Sourcefire 3D™ System Sourcefire 3D Sensors • Sourcefire IPS™ • Sourcefire RNA™ • Sourcefire RUA™ • Sourcefire NetFlow Analysis Sourcefire Defense Center™ Sourcefire Intrusion Agent for Snort 36 36
  • 37. For More Information… Sourcefire 3D System Flash Demo “Extending Your Investment in Snort” Technology Brief Available Now on Sourcefire.com 37 37
  • 38. Questions? Please submit questions via the Q&A interface in the lower-right corner of your screen. 38 38