Advanced Custom Attack Object Techniques
You can use pattern negation to exclude a pattern known to be safe and to match all else.
Custom Attack Object DFA Expressions
Table 1 provides examples of syntax for matching an attack pattern.
Example Syntax |
Description |
Example Matches |
|---|---|---|
Hello..\B.0.1..00\B...world |
There are two aspects to matching: Must match the bitmask pattern: \B.0.0.1..00\B Must match the number of bytes (signified by .) before and after the bitmask pattern. |
Matches: Hello..\B.0.11100\B...worldHello..\B.0.10000\B...world Does not match: Hello.\B.0.1..00\B.worldHello..\B.0.1..11\B...world |
\X01 86 A5 00 00\X |
Pattern with the five specified bytes verbatim. |
01 86 A5 00 00 |
(hello|world) |
Pattern with hello or world occurring once. |
hello world |
(hello|world)+ |
Pattern with hello or world occurring one or more times. |
helloworld worldhello hellohello |
\[hello\] |
Pattern hello, case insensitive. |
hElLo HEllO heLLO |
\uHello\u |
Pattern hello, Unicode insensitive. |
hello 68656c6c6f |
hello\sworld |
Pattern hello world, the two words separated by a whitespace. |
hello world |
[c-e]a(d|t) |
Pattern with the first letter of c, d, or e; the middle letter a; and ending in d or t. |
cat dad eat |
[^c-d]a(d|t) |
Pattern that begins a letter other than c, d, or e; have the second letter a; and end in d or t. |
fad zad |
a*b+c |
Pattern with any number of a characters (including zero); followed by one or more b characters; followed by a c character. |
bc abc aaaabbbbc |
T[Kk] |
Pattern that begins with an uppercase T, followed by a case-insensitive k. |
TK Tk |
([Tt])k |
Pattern that begins with a case-insensitive t, followed by a lowercase k. |
Tk Tk |
Sea[In] |
Pattern that begins with Sea, followed by a lowercase l, m, or n. |
Seal Seam Sean |
([B-D])at |
Pattern that begins with an uppercase B, C, or D, followed by a lowercase at. |
Bat Cat Dat |
\0133\[hello\]\0135 |
Pattern that begins with an opening bracket, followed by case-insensitive hello, ending with a closing bracket. This expression uses the \0 expression to signify that the following expression is an octal code, then the octal code for the opening bracket (133) or the closing bracket (135) follows. |
[hello] [HeLLo] |
Pattern Negation
For example, suppose you are designing an attack object to inspect traffic to an FTP server. You know that account username and passwords are well maintained to ensure that only authorized users can access internal resources. However, as networks grow and new components are added, user accounts can proliferate, thereby increasing network access to specific components. In this example, you have an FTP server on your internal network that has multiple user accounts enabled. To improve security, you want to restrict access to the FTP administrator.
You create an attack object for the FTP service, ftp-username context, and pattern admin; and you select the Negate check box. The result is an attack object that can flag login attempts by users other than admin. You can use this attack object in a rule that logs or drops matching traffic.
Example: Match File Extensions
In this example, you want to detect Microsoft Windows metafiles, which use the extensions .emf (Windows Enhanced Metafiles) and .wmf (Microsoft Windows Metafile).
To match either of these file types, use a simple DFA expression:
.*\.\[w|emf\]
In this expression:
The period combined with the asterisk (.*) indicates that one or more characters must appear (wildcard match).
The backslash combined with the period character (\.) indicates that the period character is escaped (the period appears in the pattern).
The parentheses at the beginning and end of the expression ( ) indicate a group. The pipe character between the e and the w (e|w) indicates an OR relationship between the characters. For this expression, e or w must appear in the pattern to match this expression; only one must be present.
The opening bracket (\[) indicates the beginning of a case-insensitive match for all characters until the closing bracket (\]) appears.
The closing bracket (\]) indicates the ending of a case-insensitive match.
Example: Apache Tomcat Denial-of-Service Attacks
In this example, we assume you have a Web Server running Apache Tomcat. Your security administrator notifies you that a vulnerability has just been announced for Apache Tomcat, and you decide to create a custom attack object to protect your network until you can schedule downtime to patch the server.
The CVE advisory for the vulnerability (http://nvd.nist.gov/nvd.cfm?cvename=CAN-2002-0682) contains the following quotation:
A cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remote attackers to execute script as other web users via script in a URL with the /servlet/ mapping, which does not filter the script when an exception is thrown by the servlet.
From this information, you know that the attack uses HTTP. Now you must locate the attack code. The advisory also includes references that link to more information about the attack. Unfortunately, none of the referenced Web pages contain exploit code. After searching the Web using the information you learned from the CVE advisory, you locate some exploit code at http://packetstormsecurity.nl/0210-exploits/neuter.c. Copy the script and move it to the attacker computer in your test lab.
To develop this attack object:
IDP Test Conditions for a Specific Protocol
When configuring IDP custom attacks, you can specify a list of test conditions for a specific protocol. To list test conditions for ICMP:
List supported test conditions for ICMP and choose the one you want to configure. The supported test conditions are available in the CLI at the
[edit security idp custom-attack test1 attack-type anomaly]hierarchy level.user@host#set test icmp? Possible completions: <test> Protocol anomaly condition to be checked ADDRESSMASK_REQUEST DIFF_CHECKSUM_IN_RESEND DIFF_CHECKSUM_IN_RESPONSE DIFF_LENGTH_IN_RESEND
Configure the service for which you want to configure the test condition.
user@host# set service ICMP
Configure the test condition (specifying the protocol name is not required).
user@host# set test ADDRESSMASK_REQUEST
If you are done configuring the device, enter
commitfrom configuration mode.
Example: UNIX CDE/dtlogin Vulnerability
In this example, your network includes several user workstations and servers running UNIX. Many UNIX operating systems use the Common Desktop Environment (CDE) as a graphical user interface. Your security administrator notifies you of a new vulnerability in the dtlogin process for CDE (the dtlogin process handles a GUI login process to CDE).
The CERT advisory for the vulnerability (http://www.kb.cert.org/vuls/id/179804) contains the following information:
...The dtlogin program contains a "double-free" vulnerability that can be triggered by a specially crafted X Display Manager Control Protocol (XDMCP) packet... Block XDMCP traffic (177/udp) from untrusted networks such as the Internet...
From this information, you know that the attack uses XDMCP protocol packet, and runs on UDP/177. Now you must locate the attack code. The advisory also includes references that link to more information about the attack. One reference, http://lists.immunitysec.com/pipermail/dailydave/2004-March/000402.html, indicates that the person who first reported the attack has also written a script that replicates the attack. Obtain the script and move it to the attacker computer in your test lab.
To develop this attack object:
Example: Detect a Worm
Worms and Trojans often bypass firewalls and other traditional security measures to enter a network. In this example, you create a custom attack object to detect the Blaster worm on your network.
The CERT advisory (http://www.cert.org/advisories/CA-2003-20.html) for the Blaster worm gives the following information:
The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface...”
From this information, you know that the attack uses DCOM exploit, a previously identified security hole. Now you must locate the attack code. The advisory also includes references that link to more information about the attack. Unfortunately, none of the referenced Web pages contain exploit code. After searching the Web using the information you learned from the CERT advisory, you locate exploit code on PacketStorm (http://packetstormsecurity.com/0307-exploits/dcom.c).
To develop this attack object:
Example: Compound Signature to Detect Exploitation of an HTTP Vulnerability
Some attacks are crafted to appear benign when viewed at a packet-by-packet level. For these attacks, you can create a compound signature that detects multiple signature patterns in multiple contexts (service, nonservice, or both).
In this example, you have a Web server that uses Microsoft FrontPage Server extensions. Your security administrator notifies you of a new buffer overflow vulnerability in the FrontPage Server extensions.
The BugTraq advisory for the vulnerability (http://www.securityfocus.com/bid/9007/discussion/) contains the following information:
Microsoft FrontPage Server Extensions are prone to a remotely exploitable buffer overrun vulnerability ... It is possible to trigger this condition with a chunked-encoded HTTP POST request...
The following proof-of-concept example is also provided:
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1 Transfer-Encoding: chunked PostLength PostData 0
Additionally, a link to the compiled exploit is included.
From this information, you know that the attack uses the HTTP protocol and that at least part of the attack uses the POST method. Use the link to the compiled exploit to obtain the script, and move it to the attacker computer in your test lab.
To develop this attack object:
Example: Use Time Binding Parameters to Detect a Brute Force Attack
The time binding constraint requires the pattern to occur a certain number of times within a minute in order for the traffic to be considered a match.
You can use the time binding parameter along with the signature to detect signs of a brute force attack. A user changing her password is a harmless event, and is normally seen occasionally on the network. However, thousands of password changes in a minute is suspicious.
In a brute force attack, the attacker attempts to break through system defenses using sheer force, typically by overwhelming the destination server capacity or by repeated, trial-and-error attempts to match authentication credentials. In a brute force login attack, the attackers first gather a list of usernames and a password dictionary. Next, the attacker uses a tool that enters the first password in dictionary for the first user in the list, then tries every password for every user until it gets a match. If the attacker tries every combination of usernames and passwords, they always succeed. However, brute force attacks often fail because the password dictionary is typically limited (does not contain all possible passwords) and the attack tool does not perform permutations on the password (such as reversing letters or changing case).
In this example, you create a signature attack object that detects an excessive number of password changes for users authenticated via HTTP (a Web-based application).
First, you configure an attack pattern:
.*/\[changepassword\.cgi\]
In this expression:
The dot star combination (.*) indicates a wildcard match.
The backslash before a character indicates that the character represents a regular expression and must be escaped. In this case, the character is an opening bracket. The backslash is also used in this expression before the file extension marker (the dot) and before the closing bracket.
The name of the cgi script that is used to change user passwords is included, as well as the cgi extension.
For context, select HTTP-URL-PARSED from the list because you are attempting to detect password changes that occur for Web-based applications. The changepassword.cgi script, when used, appears as part of the URL, but you need to tell the IDP Series device to parse the URL in order to find the name.
Next, you configure time binding.
In these settings:
Scope is set to Peer so the attack pattern can match the event regardless of source or destination.
Count is set to high number (to 1000) to avoid false positives. This value means that the changepassword.cgi script must appear in a URL 1000 times before the attack object is matched.