advanced ids
DESCRIPTION
Advanced IDS. Brian Caswell & Jeff Nathan. Kung Fu IDS. Brian Caswell Jeff Nathan [email protected] [email protected]. The life of a packet through Snort’s detection engine. Overview of protocol decoding and protocol anomaly detection. Static Decoders Normalization of Data. - PowerPoint PPT PresentationTRANSCRIPT
Advanced IDS
Brian Caswell & Jeff Nathan
Kung Fu IDS
Brian Caswell Jeff [email protected] [email protected]
3
The life of a packet through Snort’s detection engine
4
Overview of protocol decoding and protocol anomaly detection
• Static Decoders• Normalization of Data
5
Recent detection improvements
• Advanced content options (distance, within, byte_test and byte_jump)
• All purpose state engine (conversation)
• Improved message passing between components
6
Recent detection improvements
• Advanced content options (distance, within, byte_test and byte_jump)
• All purpose state engine (conversation)
• Improved message passing between components
7
Distance
content:"SITE"; nocase; content:"EXEC"; distance:0; nocase;
8
Within
content: "Content-type\: video/x-ms-asf"; content:"|0a|"; within:2;
9
Byte jump
byte_jump:4,4, relative,align; byte_jump:4,4, relative,align; content: "|00 01 86 A5|"; within:4;
10
Byte test
byte_test:1,>,7,1;
11
Advantages and Disadvantages of static preprocessors
Advantages• Relatively Fast• State-based
implementations
Disadvantages• Users are not
programmers• Requires
recompilation of the entire system
• Requires specific knowledge of the protocol (in addition to Snort)
12
The promise of advanced rules
• A quicker development cycle for discrete protocol anomaly detection
• Only requires knowledge of Snort’s rule language and the protocol itself
• NO NEED TO LEARN C
13
Where existing advanced rules and preprocessors fall short
• New preprocessors can require significant development time
• Preprocessors rely on Snort’s pattern matching for detection of normalized data
• No advanced constructs (loops, regex, and data munging)
• Not all vulnerabilities can be covered with advanced rules and existing preprocessors
14
15
A new solution: sp_perl
Two new detection keywords:• “perlre” provides real regular
expressions • “perl” provides runtime evaluation
of virtually any perl code
16
sp_perl, are we nuts?
• Extensibility through perl• No additional CPU cost for non-perl
rules• Rapid updates to Snort’s detection
capabilities without re-implementing N-CODE
(And since you asked, we are nuts, but not because we added perl to Snort)
17
OK, so we’re nuts. How does this actually work?
• Create an embedded perl interpreter• Parse all the rules and store perl data for
later• When a perl rule option is triggered:– Convert the Payload, IPs, and Ports to
perl scalars– Pass perl scalars to perl– Evaluate packet data and persistent data
• On exit, destroy the runtime interpreter
18
Embedded perl
PerlInterpreter *my_perl = perl_alloc();
perl_construct(my_perl);perl_parse(my_perl, NULL, 2,
perl_cmdline_opts, NULL)perl_run(my_perl);perl_destruct(my_perl);perl_free(my_perl);
19
OK, but how does that work inside of Snort?
SetupPerlKungFoo()• Verifies the file with our perl functions is
there• Registers our keywords as valid detection
options• Allocates a runtime perl interpreter• Initializes the perl stack for our runtime
interpreter• Parses our perl file to get our functions into
the runtime environment • Stores the persistent data specific to sp_perl
in the OptTreeNode(s)
20
sp_perl, what the ugly C does
• Calls perl_regex with the pattern, type of test (perl vs perlre), along with the IP addresses and ports
• Pushes args onto a local copy of the perl stack, then replace the global perl stack with our stack
• Calls the appropriate perl function using the new global perl stack
• Pops the return code from the perl stack, convert to an integer
• Returns the next test on the OptTreeNode on success, otherwise 0
21
Example Rules
22
IMAP LSUB Buffer Overflow
CAN-2000-028411/11-10:45:41.482210 172.16.2.130:33012 -> 10.2.2.250:143***AP*** Seq: 0x6F578C60 Ack: 0xFE6E84A1 Win: 0x16D0 TcpLen: 3231 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D 1 LSUB "" {1064}0D 0A ..
11/11-10:45:41.482699 10.2.2.250:143 -> 172.16.2.130:33012***AP*** Seq: 0xFE6E84A1 Ack: 0x6F578C72 Win: 0x7BFC TcpLen: 32TCP Options (3) => NOP NOP TS: 26213694 3382889872B 20 52 65 61 64 79 20 66 6F 72 20 61 72 67 75 + Ready for argu6D 65 6E 74 0D 0A ment..
11/11-10:45:41.483459 172.16.2.130:33012 -> 10.2.2.250:143***AP*** Seq: 0x6F578C72 Ack: 0xFE6E84B7 Win: 0x16D0 TcpLen: 3290 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
23
IMAP LSUB Buffer Overflow, continued
• Our content:1 LSUB “” {1064}\r\
nSHELLCODEHERE• So how do we detect this?– Regex– Regex and some math
24
IMAP LSUB Buffer Overflow, regex
1 LSUB “” {1064}\r\nSHELLCODEHERE
• Regex^\d+\s+LSUB\s+""\s+{\d{4,}}
25
IMAP LSUB Buffer Overflow, regex and some math
1 LSUB “” {1064}\r\nSHELLCODEHERE
• Regex^\d+\s+LSUB\s+""\s+{(\d+)}
• Math$1 > 1000
26
IMAP LSUB Buffer Overflow, the rules
alert ip any any -> any any (perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;)
alert ip any any -> any any (perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";)
27
IMAP LSUB Buffer Overflow, the optimized rules
alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perlre:/^\d+\s+LSUB\s+""\s+{\d{4,}/;)
alert tcp any any -> any 143 ( flow:to_server,established; content:"LSUB"; nocase; perl:"$content =~ /\d+\s+LSUB\s+""\s+{(\d+)}/\; && $1 > 1000";)
28
FTP Port Bounce
CVE-1999-001712/31--5:00:00.007051 10.1.1.254:3161 -> 10.1.1.113:21***AP*** Seq: 0x4FE9C1C4 Ack: 0x1E001761 Win: 0x7D78 TcpLen: 3270 6F 72 74 20 31 37 32 2C 31 36 2C 30 2C 33 32 port 172,16,0,322C 31 32 2C 37 32 0A ,12,72.
29
FTP Port Bounce, continued
• Our content:port 172,16,0,32,12,72\n
• So how do we detect this?– Regex and some perl
30
FTP Port Bounce, regex and some perl
port 172,16,0,32,12,72
• Regex$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/
• The Perl $srcip ne $1.'.'.$2.'.'.$3.'.'.$4
31
FTP Port Bounce, the rules
alert ip any any -> any any (perl:"$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/i && $srcip ne $1.'.'.$2.'.'.$3.'.'.$4";)
32
FTP Port Bounce, the optimized rules
alert tcp any any -> any 21 ( flow:to_server,established; content:”port”; nocase; perl:"$content =~ /port\s+(\d+),(\d+),(\d+),(\d+)/i && $srcip ne $1.'.'.$2.'.'.$3.'.'.$4";)
33
HTTP Unknown Version
04/06-20:04:12.457297 10.200.1.100:33599 -> 66.35.250.150:80TCP TTL:64 TOS:0x0 ID:58321 IpLen:20 DgmLen:56 DF***AP*** Seq: 0xDD594D3E Ack: 0xAEE Win: 0x1490 TcpLen: 2047 45 54 20 2F 20 48 54 54 50 2F 30 2E 32 0A 0A GET / HTTP/0.2..
34
HTTP Unknown Version, continued
• Our content:GET / HTTP/0.2\n\n
• So how do we detect this?– Regex– Regex and some perl
35
HTTP Unknown Version, regex
GET / HTTP/0.2\n\n
• Regex\s+HTTP/(0\.9|1\.1|1\.0)[\r]\n
36
HTTP Unknown Version, regex and some perl
GET / HTTP/0.2\n\n
• Regex\s+HTTP/([^\n]*)\n
• Perl $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'
37
HTTP Unknown Version, building the rules
alert ip any any -> any any (perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;)
alert ip any any -> any any (perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";)
38
HTTP Unknown Version, the optimized rules
alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perlre:\s+HTTP/(0\.9|1\.1|1\.0)[\r]{0,1}\n;)
alert tcp any any -> any 80 (flow:to_server,established; content:”HTTP”; perl:"$content =~ ! HTTP/(.{3})! && $1 ne '1.1' && $1 ne '1.0' && $1 ne '0.9'";)
39
Even more advanced foo
• So, you want one or two specific rules to email you when they fire.
• Add this to snort.plsub insane {
my ($srcip,$content) = @_; use Net::SMTP; my $server = "mail.server.com"; my $email = "perlfoo\@snort.org"; my $smtp = Net::SMTP->new($server) || die "Can't connect to mail server";$smtp->mail($from); $smtp->to($to); $smtp->data();$smtp->datasend("To: $email\nFrom: $email\n");$smtp->datasend("Subject: perl alert - srcip = $srcip\n\n$content\n");$smtp->dataend(); $smtp->quit();
}
• Then use it in your rule:insane($srcip,$content)
40
Future Work
• Cache any perl specific data in the Packet struct
• Figure out how to pass struct and pass *p directly with pack/unpack foo in perl
• Instead of raw perl, use swig• Buy flak jackets to save us from the
rest of the Snort developers
41
Jed Rules