[Snort-sigs] OpenSSH

Dragos Ruiu dr at ...60...
Wed Aug 14 22:22:02 EDT 2002


Well not strictly true. It's very easy to look at a particular field in a 
packet and see if a value exceeds a certain integer. Not even cpu intesive.
It would be simply a plug-in not a pre-processor.

The problem in this case is that the integer is encrypted in the encrypted
ssh data. Doing this decrytpion on the fly without the keys on the ids is the
show-stopper. Now if you can figure something else that is externally visible 
about the exploit, like it send a funny packet size or something then you may
still be able to detect it without decrytption,

Snort can process any arbitrary numeric field in the packed body or header 
easily.  Decryption is a more involved task left as an exersize for the 
reader :-P. Not out of the question though... crypto accelerators _do_ exist
and keys can be shared with the ids. Not simple either...

cheers,
--dr

On August 14, 2002 12:25 pm, Matt Kettler wrote:
> This isn't really doable as a mere snort signature. Snort is set up for
> high-speed fixed content matching, with optional case insensitive matching,
> but not breakdown of the data into integers and then doing less
> than/greater than type operations. The only numeric type fields processed
> by rules are header fields like the packet length.
>
> Such detailed analysis of the SSH stream would likely need to be
> implemented as a snort preprocessor.
>
> However, before doing a pre-processor, is the integer in question sent over
> the wire in plaintext? As best I can tell from the SSH protocol internet
> drafts the challenge response authentication performed after the encryption
> keys are already established and that it's a CR authentication through an
> encrypted tunnel. Once the encryption is up, your ability to analyze the
> content of the encrypted data is, or at least should be, nonexistent. At
> that point all you can do is analyze things in the TCP/IP headers.
>
> At 02:50 PM 8/13/2002 -0500, kristofer-roy.g.reyes.1 wrote:
> >Hello,
> >
> >I am trying to write a signiture to detect the Integer/Boundary Condition
> >overflow attack on OpenSSH 3.3 and earlier. Essentially, all exploits will
> >send a packet containing an integer greater than or equal to some specific
> >value. Is there any way to detect something like this?
> >
> >Thanks for the help,
> >Kris Reyes
> >reyes at ...751...
> >
> >
> >
> >-------------------------------------------------------
> >This sf.net email is sponsored by: Dice - The leading online job board
> >for high-tech professionals. Search and apply for tech jobs today!
> >http://seeker.dice.com/seeker.epl?rel_code=31
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
dr at ...60...   pgp: http://dragos.com/kyxpgp
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002





More information about the Snort-sigs mailing list