- •Network Intrusion Detection, Third Edition
- •Table of Contents
- •Copyright
- •About the Authors
- •About the Technical Reviewers
- •Acknowledgments
- •Tell Us What You Think
- •Introduction
- •Chapter 1. IP Concepts
- •Layers
- •Data Flow
- •Packaging (Beyond Paper or Plastic)
- •Bits, Bytes, and Packets
- •Encapsulation Revisited
- •Interpretation of the Layers
- •Addresses
- •Physical Addresses, Media Access Controller Addresses
- •Logical Addresses, IP Addresses
- •Subnet Masks
- •Service Ports
- •IP Protocols
- •Domain Name System
- •Routing: How You Get There from Here
- •Summary
- •Chapter 2. Introduction to TCPdump and TCP
- •TCPdump
- •TCPdump Behavior
- •Filters
- •Binary Collection
- •TCPdump Output
- •Absolute and Relative Sequence Numbers
- •Dumping in Hexadecimal
- •Introduction to TCP
- •Establishing a TCP Connection
- •Server and Client Ports
- •Connection Termination
- •The Graceful Method
- •The Abrupt Method
- •Data Transfer
- •What's the Bottom Line?
- •TCP Gone Awry
- •An ACK Scan
- •A Telnet Scan?
- •TCP Session Hijacking
- •Summary
- •Chapter 3. Fragmentation
- •Theory of Fragmentation
- •All Aboard the Fragment Train
- •The Fragment Dining Car
- •The Fragment Caboose
- •Viewing Fragmentation Using TCPdump
- •Fragmentation and Packet-Filtering Devices
- •The Don't Fragment Flag
- •Malicious Fragmentation
- •TCP Header Fragments
- •Teardrop
- •Summary
- •Chapter 4. ICMP
- •ICMP Theory
- •Why Do You Need ICMP?
- •Where Does ICMP Fit In?
- •Understanding ICMP
- •Summary of ICMP Theory
- •Mapping Techniques
- •Tireless Mapper
- •Efficient Mapper
- •Clever Mapper
- •Cerebral Mapper
- •Summary of Mapping
- •Normal ICMP Activity
- •Host Unreachable
- •Port Unreachable
- •Admin Prohibited
- •Need to Frag
- •Time Exceeded In-Transit
- •Embedded Information in ICMP Error Messages
- •Summary of Normal ICMP
- •Malicious ICMP Activity
- •Smurf Attack
- •Tribe Flood Network
- •WinFreeze
- •Loki
- •Unsolicited ICMP Echo Replies
- •Theory 1: Spoofing
- •Theory 2: TFN
- •Theory 3: Loki
- •Summary of Malicious ICMP Traffic
- •To Block or Not to Block
- •Unrequited ICMP Echo Requests
- •Kiss traceroute Goodbye
- •Silence of the LANs
- •Broken Path MTU Discovery
- •Summary
- •Chapter 5. Stimulus and Response
- •The Expected
- •Request for Comments
- •TCP Stimulus-Response
- •Destination Host Listens on Requested Port
- •Destination Host Not Listening on Requested Port
- •Destination Host Doesn't Exist
- •Destination Port Blocked
- •Destination Port Blocked, Router Doesn't Respond
- •UDP Stimulus-Response
- •Destination Host Listening on Requested Port
- •Destination Host Not Listening on Requested Port
- •Windows tracert
- •TCPdump of tracert
- •Protocol Benders
- •Active FTP
- •Passive FTP
- •UNIX Traceroute
- •Summary of Expected Behavior and Protocol Benders
- •Abnormal Stimuli
- •Evasion Stimulus, Lack of Response
- •Evil Stimulus, Fatal Response
- •No Stimulus, All Response
- •Unconventional Stimulus, Operating System Identifying Response
- •Bogus "Reserved" TCP Flags
- •Anomalous TCP Flag Combinations
- •No TCP Flags
- •Summary of Abnormal Stimuli
- •Summary
- •Chapter 6. DNS
- •Back to Basics: DNS Theory
- •The Structure of DNS
- •Steppin' Out on the Internet
- •DNS Resolution Process
- •TCPdump Output of Resolution
- •Strange TCPdump Notation
- •Caching: Been There, Done That
- •Reverse Lookups
- •Master and Slave Name Servers
- •Zone Transfers
- •Summary of DNS Theory
- •Using DNS for Reconnaissance
- •The nslookup Command
- •Name That Name Server
- •HINFO: Snooping for Details
- •List Zone Map Information
- •Tainting DNS Responses
- •A Weak Link
- •Cache Poisoning
- •Summary
- •Part II: Traffic Analysis
- •Chapter 7. Packet Dissection Using TCPdump
- •Why Learn to Do Packet Dissection?
- •Sidestep DNS Queries
- •Normal Query
- •Evasive Query
- •Introduction to Packet Dissection Using TCPdump
- •Where Does the IP Stop and the Embedded Protocol Begin?
- •Other Length Fields
- •The IP Datagram Length
- •Increasing the Snaplen
- •Dissecting the Whole Packet
- •Freeware Tools for Packet Dissection
- •Ethereal
- •tcpshow
- •Summary
- •Chapter 8. Examining IP Header Fields
- •Insertion and Evasion Attacks
- •Insertion Attacks
- •Evasion Attacks
- •IP Header Fields
- •IP Version Number
- •Protocol Number
- •The Don't Fragment (DF) Flag
- •The More Fragments (MF) Flag
- •Mapping Using Incomplete Fragments
- •IP Numbers
- •IP Identification Number
- •Time to Live (TTL)
- •Looking at the IP ID and TTL Values Together to Discover Spoofing
- •IP Checksums
- •Summary
- •Chapter 9. Examining Embedded Protocol Header Fields
- •Ports
- •TCP Checksums
- •TCP Sequence Numbers
- •Acknowledgement Numbers
- •TCP Flags
- •TCP Corruption
- •ECN Flag Bits
- •Operating System Fingerprinting
- •Retransmissions
- •Using Retransmissions Against a Hostile Host—LaBrea Tarpit Version 1
- •TCP Window Size
- •LaBrea Version 2
- •Ports
- •UDP Port Scanning
- •UDP Length Field
- •ICMP
- •Type and Code
- •Identification and Sequence Numbers
- •Misuse of ICMP Identification and Sequence Numbers
- •Summary
- •Chapter 10. Real-World Analysis
- •You've Been Hacked!
- •Netbus Scan
- •How Slow Can you Go?
- •RingZero Worm
- •Summary
- •Chapter 11. Mystery Traffic
- •The Event in a Nutshell
- •The Traffic
- •DDoS or Scan
- •Source Hosts
- •Destination Hosts
- •Scanning Rates
- •Fingerprinting Participant Hosts
- •Arriving TTL Values
- •TCP Window Size
- •TCP Options
- •TCP Retries
- •Summary
- •Part III: Filters/Rules for Network Monitoring
- •Chapter 12. Writing TCPdump Filters
- •The Mechanics of Writing TCPdump Filters
- •Bit Masking
- •Preserving and Discarding Individual Bits
- •Creating the Mask
- •Putting It All Together
- •TCPdump IP Filters
- •Detecting Traffic to the Broadcast Addresses
- •Detecting Fragmentation
- •TCPdump UDP Filters
- •TCPdump TCP Filters
- •Filters for Examining TCP Flags
- •Detecting Data on SYN Connections
- •Summary
- •Chapter 13. Introduction to Snort and Snort Rules
- •An Overview of Running Snort
- •Snort Rules
- •Snort Rule Anatomy
- •Rule Header Fields
- •The Action Field
- •The Protocol Field
- •The Source and Destination IP Address Fields
- •The Source and Destination Port Field
- •Direction Indicator
- •Summary
- •Chapter 14. Snort Rules - Part II
- •Format of Snort Options
- •Rule Options
- •Msg Option
- •Logto Option
- •Ttl Option
- •Id Option
- •Dsize Option
- •Sequence Option
- •Acknowledgement Option
- •Itype and Icode Options
- •Flags Option
- •Content Option
- •Offset Option
- •Depth Option
- •Nocase Option
- •Regex Option
- •Session Option
- •Resp Option
- •Tag Option
- •Putting It All Together
- •Summary
- •Part IV: Intrusion Infrastructure
- •Chapter 15. Mitnick Attack
- •Exploiting TCP
- •IP Weaknesses
- •SYN Flooding
- •Covering His Tracks
- •Identifying Trust Relationships
- •Examining Network Traces
- •Setting Up the System Compromise?
- •Detecting the Mitnick Attack
- •Trust Relationship
- •Port Scan
- •Host Scan
- •Connections to Dangerous Ports
- •TCP Wrappers
- •Tripwire
- •Preventing the Mitnick Attack
- •Summary
- •Chapter 16. Architectural Issues
- •Events of Interest
- •Limits to Observation
- •Human Factors Limit Detects
- •Limitations Caused by the Analyst
- •Limitations Caused by the CIRTs
- •Severity
- •Criticality
- •Lethality
- •Countermeasures
- •Calculating Severity
- •Scanning for Trojans
- •Analysis
- •Severity
- •Host Scan Against FTP
- •Analysis
- •Severity
- •Sensor Placement
- •Outside Firewall
- •Sensors Inside Firewall
- •Both Inside and Outside Firewall
- •Analyst Console
- •Faster Console
- •False Positive Management
- •Display Filters
- •Mark as Analyzed
- •Drill Down
- •Correlation
- •Better Reporting
- •Event-Detection Reports
- •Weekly/Monthly Summary Reports
- •Summary
- •Chapter 17. Organizational Issues
- •Organizational Security Model
- •Security Policy
- •Industry Practice for Due Care
- •Security Infrastructure
- •Implementing Priority Countermeasures
- •Periodic Reviews
- •Implementing Incident Handling
- •Defining Risk
- •Risk
- •Accepting the Risk
- •Trojan Version
- •Malicious Connections
- •Mitigating or Reducing the Risk
- •Network Attack
- •Snatch and Run
- •Transferring the Risk
- •Defining the Threat
- •Recognition of Uncertainty
- •Risk Management Is Dollar Driven
- •How Risky Is a Risk?
- •Quantitative Risk Assessment
- •Qualitative Risk Assessments
- •Why They Don't Work
- •Summary
- •Chapter 18. Automated and Manual Response
- •Automated Response
- •Architectural Issues
- •Response at the Internet Connection
- •Internal Firewalls
- •Host-Based Defenses
- •Throttling
- •Drop Connection
- •Shun
- •Proactive Shunning
- •Islanding
- •Reset
- •Honeypot
- •Proxy System
- •Empty System
- •Honeypot Summary
- •Manual Response
- •Containment
- •Freeze the Scene
- •Sample Fax Form
- •On-Site Containment
- •Site Survey
- •System Containment
- •Hot Search
- •Eradication
- •Recovery
- •Lessons Learned
- •Summary
- •Chapter 19. Business Case for Intrusion Detection
- •Part One: Management Issues
- •Bang for the Buck
- •The Expenditure Is Finite
- •Technology Used to Destabilize
- •Network Impacts
- •IDS Behavioral Modification
- •The Policy
- •Part of a Larger Strategy
- •Part Two: Threats and Vulnerabilities
- •Threat Assessment and Analysis
- •Threat Vectors
- •Threat Determination
- •Asset Identification
- •Valuation
- •Vulnerability Analysis
- •Risk Evaluation
- •Part Three: Tradeoffs and Recommended Solution
- •Identify What Is in Place
- •Identify Your Recommendations
- •Identify Options for Countermeasures
- •Cost-Benefit Analysis
- •Follow-On Steps
- •Repeat the Executive Summary
- •Summary
- •Chapter 20. Future Directions
- •Increasing Threat
- •Improved Targeting
- •How the Threat Will Be Manifested
- •Defending Against the Threat
- •Skills Versus Tools
- •Analysts Skill Set
- •Improved Tools
- •Defense in Depth
- •Emerging Techniques
- •Virus Industry Revisited
- •Smart Auditors
- •Summary
- •Part V: Appendixes
- •Appendix A. Exploits and Scans to Apply Exploits
- •False Positives
- •All Response, No Stimulus
- •Scan or Response?
- •SYN Floods
- •Valid SYN Flood
- •False Positive SYN Flood
- •Back Orifice?
- •IMAP Exploits
- •10143 Signature Source Port IMAP
- •111 Signature IMAP
- •Source Port 0, SYN and FIN Set
- •Source Port 65535 and SYN FIN Set
- •DNS Zone Followed by 0, SYN FIN Targeting NFS
- •Scans to Apply Exploits
- •mscan
- •Son of mscan
- •Access Builder?
- •Single Exploit, Portmap
- •rexec
- •Targeting SGI Systems?
- •Discard
- •Weird Web Scans
- •IP-Proto-191
- •Summary
- •Appendix B. Denial of Service
- •Brute-Force Denial-of-Service Traces
- •Smurf
- •Directed Broadcast
- •Echo-Chargen
- •Elegant Kills
- •Teardrop
- •Land Attack
- •We're Doomed
- •nmap
- •Distributed Denial-of-Service Attacks
- •Intro to DDoS
- •DDoS Software
- •Trinoo
- •Stacheldraht
- •Summary
- •Appendix C. Detection of Intelligence Gathering
- •Network and Host Mapping
- •Host Scan Using UDP Echo Requests
- •Netmask-Based Broadcasts
- •Port Scan
- •Scanning for a Particular Port
- •Complex Script, Possible Compromise
- •"Random" Port Scan
- •Database Correlation Report
- •SNMP/ICMP
- •FTP Bounce
- •NetBIOS-Specific Traces
- •A Visit from a Web Server
- •Null Session
- •Stealth Attacks
- •Explicit Stealth Mapping Techniques
- •FIN Scan
- •Inverse Mapping
- •Answers to Domain Queries
- •Answers to Domain Queries, Part 2
- •Fragments, Just Fragments
- •Measuring Response Time
- •Echo Requests
- •Actual DNS Queries
- •Probe on UDP Port 33434
- •3DNS to TCP Port 53
- •Worms as Information Gatherers
- •Pretty Park Worm
- •RingZero
- •Summary
TCP TTL:128 TOS:0x0 ID:50697 IpLen:20 DgmLen:58 DF
***AP*** Seq: 0x17806739 Ack: 0x121C07E5 Win: 0x1FD3 TcpLen: 20
A directory named 10.10.10.101 was created with a file named TCP:1454-21 to record the session exchange of the attempted password file access and 10 subsequent records. Note that the command line used the –d option to capture and dump the data payload. This is
an excerpt of the output:
03/21-20:31:05.610035 10.10.10.101:1454 -> 10.10.10.100:21
TCP TTL:128 TOS:0x0 ID:50697 IpLen:20 DgmLen:58 |
DF |
|||
***AP*** |
Seq: 0x17806739 Ack: 0x121C07E5 |
Win: |
0x1FD3 TcpLen: 20 |
|
52 |
45 54 |
52 20 2F 65 74 63 2F 70 61 73 73 |
77 64 |
RETR /etc/passwd |
0D |
0A |
|
|
.. |
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 03/21-20:31:05.610731 10.10.10.100:21 -> 10.10.10.101:1454
TCP TTL:64 TOS:0x10 ID:1752 IpLen:20 DgmLen:109 |
DF |
TcpLen: 20 |
||||||||||||||
***AP*** |
Seq: 0x121C07E5 |
69 |
Ack: 0x1780674B |
Win: |
0x7D78 |
|||||||||||
31 35 |
30 |
20 |
4F |
70 |
65 |
6E |
6E |
67 |
20 |
41 |
53 |
43 |
49 |
150 Opening ASCI |
||
49 20 |
6D |
6F |
64 |
65 |
20 |
64 |
61 |
74 |
61 |
20 |
63 |
6F |
6E |
6E |
I mode |
data conn |
65 63 |
74 |
69 |
6F |
6E |
20 |
66 |
6F |
72 |
20 |
2F |
65 |
74 |
63 |
2F |
ection |
for /etc/ |
70 61 |
73 |
73 |
77 |
64 |
20 |
28 |
36 |
37 |
39 |
20 |
62 |
79 |
74 |
65 |
passwd |
(679 byte |
73 29 |
2E |
0D |
0A |
|
|
|
|
|
|
|
|
|
|
|
s)... |
|
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
<omitted boring records>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
03/21-20:31:08.924038 10.10.10.101:1454 -> 10.10.10.100:21 TCP TTL:128 TOS:0x0 ID:52489 IpLen:20 DgmLen:58 DF
***AP*** |
Seq: 0x17806764 Ack: 0x121C0860 |
Win: |
0x1F58 TcpLen: 20 |
||
52 |
45 |
54 |
52 20 2F 65 74 63 2F 73 68 61 64 |
6F 77 |
RETR /etc/shadow |
0D |
0A |
|
|
|
.. |
Putting It All Together
Now that you've endured the tedium to understand Snort rules, you might be wondering how you would write a rule for a new exploit that was released. Chances are that the user/developer population of Snort will have a new rule out for a current exploit very quickly. But, assume you have some code that professes to be an attack for which no Snort rule exists.
The first thing to do is to execute the exploit code in an isolated test network such as your home or a segregated lab environment at work. If the code works as advertised, record the packet exchange between the attacking and victim hosts. Then, look for unique and repeatable values in the packet that can be used to write a signature or rule. You might have to read some RFCs to become acquainted with the protocol used in the exploit to
understand which are repeatable and which are modifiable values.
Suppose you downloaded some code that exploited a buffer overflow condition for DNS TSIG (transaction signature) records. This is an actual attack that was effective against unpatched versions of BIND from 4.x up to, but not including, 8.2.3. A TSIG record in DNS is another resource record type like an address or pointer record. It is used by resolvers and for dynamic updates to ensure the integrity of an exchanged DNS record using a cryptographic one-way hash and shared secret key.
Because the exploit attempts to get access to a shell at the privilege level that BIND (the "named" daemon) runs at, the captured traffic from the exploit should be examined for this signature. Here is the packet that contains the buffer overflow and subsequent attempt to
get shell access:
02/22-15:33:19.472301 ATTACKER:1024 -> VICTIM:53
UDP TTL:64 TOS:0x0 ID:6755 IpLen:20 DgmLen:538
Len: 518
DE AD 01 80 00 07 00 00 00 00 00 01 3F 00 01 02 |
............ |
|
|
? |
... |
||||||||||||||
03 |
04 |
05 |
06 |
07 |
08 |
09 |
0A |
0B |
0C 0D |
0E |
0F |
10 |
11 |
12 |
................ |
|
|
|
!" |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
1A |
1B |
1C 1D |
1E |
1F |
20 |
21 |
22 |
............. |
|
|
|
|
23 |
24 |
25 |
26 |
27 |
28 |
29 |
2A |
2B |
2C 2D |
2E |
2F |
30 |
31 |
32 |
#$%&'()*+,-./012 |
||||
33 |
34 |
35 |
36 |
37 |
38 |
39 |
3A |
3B |
3C EB 0A 02 00 00 C0 3456789:;<...... |
F. |
|||||||||
00 |
00 |
00 |
00 |
00 |
3F |
00 |
01 |
EB 44 5E 29 C0 89 46 10 .....? |
... |
D^).. |
|||||||||
40 |
89 |
C3 |
89 |
46 |
0C |
40 |
89 |
46 |
08 8D |
4E |
08 |
B0 |
66 |
CD @... |
F.@.F..N..f. |
||||
80 |
43 |
C6 |
46 |
10 |
10 |
66 |
89 |
5E |
14 88 |
46 |
08 |
29 |
C0 |
89 |
.C.F..f.^..F.).. |
||||
C2 |
89 |
46 |
18 |
B0 |
90 |
66 |
89 |
46 |
16 8D |
4E |
14 |
89 |
4E |
0C |
..F... |
|
f.F..N..N. |
||
8D |
4E |
08 |
EB 07 C0 00 00 00 00 00 3F EB 02 EB 43 .N......... |
|
|
?... |
C |
||||||||||||
B0 |
66 |
CD 80 89 5E 0C 43 43 B0 66 CD 80 89 56 0C .f... |
^.CC.f... |
V. |
|||||||||||||||
89 |
56 |
10 |
B0 |
66 |
43 |
CD 80 86 C3 B0 3F 29 C9 CD 80 .V..fC |
?A..... |
?) |
... |
||||||||||
B0 |
3F |
41 |
CD 80 B0 3F 41 CD 80 88 56 07 89 76 0C .?A... |
|
...V..v. |
||||||||||||||
87 |
F3 |
8D |
4B |
0C |
B0 |
0B CD 80 EB 07 C0 00 00 00 00 ...K |
............ |
|
/bin/sh. |
||||||||||
00 |
3F |
90 |
E8 |
72 |
FF FF FF 2F 62 69 6E 2F 73 68 00 .?..r... |
|
|||||||||||||
0E |
0F |
10 |
11 |
12 |
13 |
14 15 |
16 |
17 18 |
19 |
1A |
1B |
1C |
1D |
..................!"#$%&'()*+,- |
|||||
1E |
1F |
20 |
21 |
22 |
23 |
24 25 |
26 |
27 28 |
29 |
2A |
2B |
2C |
2D |
||||||
2E |
2F |
30 |
31 |
32 |
33 |
34 35 |
36 |
37 38 |
39 |
3A |
3B |
3C |
EB ./0123456789:;<. |
||||||
07 |
C0 |
00 |
00 |
00 |
00 |
00 3F |
00 |
01 02 |
03 |
04 |
05 |
06 |
07 |
....... |
|
? |
........ |
|
|
08 |
09 |
0A |
0B |
0C |
0D |
0E 0F |
10 |
11 12 |
13 |
14 |
15 |
16 |
17 |
................ |
|
|
!"#$%&' |
||
18 |
19 |
1A |
1B |
1C |
1D |
1E 1F |
20 |
21 22 |
23 |
24 |
25 |
26 |
27 |
........ |
|
|
|||
28 |
29 |
2A |
2B |
2C |
2D |
2E 2F |
30 |
31 32 |
33 |
34 |
35 |
36 |
37 |
()*+,-./01234567 |
|||||
38 |
39 |
3A |
3B |
3C |
EB 07 C0 00 00 00 00 00 3F 00 01 89:;<........ |
|
|
?.. |
|||||||||||
02 |
03 |
04 |
05 |
06 |
07 |
08 09 |
0A |
0B 0C |
0D |
0E |
0F |
10 |
11 |
................ |
|
|
| |
@ |
|
D8 |
FA FF BF D8 F7 FF BF D0 7C 0D 08 04 F7 10 40 |
......... |
|
|
|||||||||||||||
22 |
23 |
24 |
25 |
26 |
27 |
28 29 |
2A |
2B 2C |
2D |
2E |
2F |
30 |
31 |
"#$%&'()*+,-./01 |
|||||
32 |
33 |
34 |
35 |
36 |
37 |
38 39 |
3A |
3B 3C |
EB 07 C0 00 00 23456789:;<..... |
|
|||||||||
00 |
00 |
00 |
3F |
00 |
01 |
02 03 |
04 |
05 06 |
07 |
08 |
09 |
0A |
0B |
...? |
............ |
|
|
|
|
0C |
0D |
0E |
0F |
10 |
11 |
12 13 |
14 |
15 16 |
17 |
18 |
19 |
1A |
1B |
....................!"#$%&'()*+ |
|||||
1C |
1D |
1E |
1F |
20 |
21 |
22 23 |
24 |
25 26 |
27 |
28 |
29 |
2A |
2B |
||||||
2C |
2D |
2E |
2F |
30 |
31 |
32 33 |
34 |
35 36 |
37 |
38 |
39 |
3A |
3B |
,-./0123456789:; |
|||||
3C |
EB 07 C0 00 00 00 00 00 00 00 FA 00 FF <............. |
|
|
|
|
|
|
One obvious signature is the /bin/sh, which attempts to give shell access after a successful buffer overflow. Another signature of this output is that there must be some identification that a DNS TSIG record has been used.
The DNS type is a 2-byte field and a TSIG record will be assigned a value of 250 (0x00FA). There must also be a 2-byte DNS class associated with each different resource record type and the value assigned to a TSIG record is 255 (0x00FF)—to mean any class. Therefore, there must be an occurrence of 0x00FA00FF in the DNS payload for this to be a TSIG record. You would not find the occurrence of the string "/bin/sh" in a normal TSIG query, so looking for both of these values is likely to find malicious records without alerting on false positives. Although other values in this particular packet could be used for the rule, it is possible to alter the source code so that the exploit would still work, yet the DNS header
or following TSIG records could change. Here is a rule that can detect the exploit: alert udp $EXTERNAL_NET any -> $HOME_NET 53 \
(msg: "EXPLOIT BIND tsig Overflow Attempt"; \ content: "|00 FA 00 FF|"; offset: 12; \ content: "/bin/*sh"; regex; offset: 12;)
The observed traffic uses UDP, and you want to look for attackers coming into your network from an outside host on any port to destination port 53. Two separate content options are used to find the multiple occurrences of strings that are in the signature. The option of regex is used in case a shell other than the Bourne shell is used. The regex option is a work in progress and doesn't always work as advertised in Snort version 1.8.3. In the previous example, it failed to work when included with the wildcard search of "/bin/*sh", but it will be fixed and should work in the upcoming version 2.x releases.
Also, the content strings are qualified using an offset of 12 indicating that the search is to begin at the 12th byte offset from the beginning of the DNS message. This is done for efficiency and accuracy because the DNS header takes up the first 12 bytes and the search to be performed is on the DNS payload, not the DNS header.
The TSIG Exploit
If you would like more information about TSIG, look at RFC 2845 titled, "Secret Key Transaction Authentication for DNS (TSIG)." More information about the exploit can be found at the Carnegie Mellon CERT site, www.cert.org, advisory CA- 2001-02. There is a wonderful write-up of the exploit done by Paul Asadoorian,
which can be found at www.sans.org/newlook/resources/IDFAQ/TSIG.htm. Many thanks to Paul
for his discussion of the Snort rule and the attack output.
Summary
Snort rule options provide a wide range of attributes and ways to specify values to examine in a packet. The use of the options is quite intuitive and requires only some familiarization of the various options via experimentation or reading the Snort documentation. With virtually each new release of Snort, more options have been added, making Snort rules feature-rich and comparable or better than many of the commercial NIDS' signature writing capabilities.
To create a Snort rule for some exploit, run the exploit in an isolated environment and record the traffic either using Snort or TCPdump in a mode where the entire packet is
captured for examination. Use any available Snort rule header fields or options to precisely identify the unique values and attributes of the exploit packets. Be aware that some aspects of the exploit source code can be changed to alter the packet content; so, attempt to extract the values or fields that are not likely to change when creating your rule. Selecting and qualifying appropriate fields and values to be used is not an easy thing to do because good signature writing is truly a practiced art that requires knowledge about the signature language, the exploit, and the protocol involved in the exploit.