[Snort-sigs] Suggestions for new attack response rules

Joe Patterson jpatterson at ...2901...
Fri Dec 3 11:11:03 EST 2004


well, for anyone who wants to, and runs oinkmaster, a way to do this would
be:

add the following rule to your local.rules (or wherever):

alert tcp any $HTTP_PORTS -> any any (msg:"ATTACK-RESPONSES HTTP attack OK
response"; flow:from_server,established; pcre:"/HTTP/1.1 (2|3)\d\d/";
flowbits:isset,http-attack; classtype:successful-user;)

and then add the following to oinkmaster.conf, or something included
therein:

# template for adding an http-attack flowbit to http-based rules
define_template http_attack \
  "\b(sid\s*:\s*\d+\s*;)" | \
  "$1 flowbits:set,http-attack;"
# and then there's the list of sids to apply this to.
# This is a quick-and-dirty list of 988 rules that can *probably*
# benefit from this addition.  Feel free to whittle down or
# add at your discression.
use_template http_attack 1133 1545 803 1607 804 805 806 1637 807 808 809 810
811 812 813 815 1571 818 817 1410 819 820 821 1700 823 824 825 1608 826 827
828 829 1451 830 833 834 1644 835 1645 1646 836 837 838 839 840 841 842 843
844 1452 845 1453 846 847 848 849 850 1454 851 852 853 854 856 857 858 859
860 861 863 864 866 867 869 1536 1537 1456 1701 1455 882 1457 1458 870 871
873 875 878 879 880 881 883 1610 884 1762 886 887 888 889 890 891 892 893
1531 894 1459 1460 1532 1533 1461 1462 895 1397 896 1222 897 1572 898 899
1702 900 901 902 1308 1392 1395 1396 1405 1534 1406 877 885 1648 832 1649
1309 862 872 868 865 1703 1465 1573 1466 1574 1467 1468 1469 1470 1471 1879
1472 1473 1704 1474 1475 1476 1478 1479 1480 1481 1482 1730 1483 1606 1617
1600 1601 1602 1501 1502 1731 1503 1505 1506 1507 1508 1509 1510 1511 1512
1513 1514 1515 1516 1517 1705 1706 1707 1708 1650 1539 1542 1543 1547 1548
1553 1554 1555 1556 1557 1565 1566 1569 1570 1590 1591 1592 1628 1593 1594
1597 1598 1599 1651 1652 1653 1654 1655 1656 1657 1658 1709 1710 1711 1712
1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1642 1643 1668
1669 1051 1052 1053 1088 1611 1089 1090 1092 1093 2051 1097 1106 1149 1865
1163 1172 1174 1185 1535 1194 1195 1196 1727 1204 1205 1206 1208 1211 1215
1219 1305 1304 1306 1488 1307 1494 1495 1496 1787 1788 1763 1764 1765 1805
1822 1823 1824 1825 1870 1875 1876 1877 1878 1931 1932 1933 1994 1995 1996
2001 1862 2052 1850 2053 2054 2055 2085 2086 2115 2116 2127 2128 2194 2195
2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210
2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225
2323 2387 2388 2396 2397 2433 2434 2567 2568 903 904 905 906 907 908 909 910
911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929
930 931 932 933 935 936 1659 1540 1970 1076 1806 1618 1626 1750 1753 1754
1756 1772 1660 1484 1485 1486 1487 969 971 1243 1242 1244 1245 972 973 974
975 976 977 978 979 980 984 985 986 1725 987 988 991 992 994 995 996 997 998
999 1000 1661 1002 1003 1004 1005 1007 1380 1008 1009 1010 1011 1012 1013
1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029
1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044
1726 1046 1256 1283 1400 1401 1402 993 1285 1286 1287 1595 1817 1818 1075
1567 1568 1802 1803 1804 1801 2090 2091 2117 2129 2130 2157 2131 2132 2133
2134 2247 2248 2249 2321 2322 2324 2325 2326 2386 2571 2572 2573 1248 1249
937 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956
957 958 959 960 961 962 963 964 965 966 967 968 1288 990 1497 1667 1250 1047
1048 1050 1056 1057 1058 1059 1060 1061 1062 1064 1065 1066 1067 1068 1069
1977 1978 1070 1071 1072 1073 1077 1078 1079 1080 1081 1082 1083 1084 1091
1095 1096 1098 1099 1100 1101 1102 2585 1103 1105 1612 1107 1108 1109 1110
1111 1112 1115 1116 1117 1118 1119 1120 1122 1123 1124 1125 1126 1127 1128
1129 1130 1131 1136 1140 1613 1141 1142 1143 1144 1145 1662 1146 1147 1148
1150 1151 1152 1153 1154 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584
1585 1586 1155 1156 1157 1158 1159 1160 1162 1164 1614 1165 1166 1167 1168
1173 1175 1177 1180 1181 1182 1587 1183 1184 1186 1187 1588 1188 1189 1190
1191 1381 1192 1193 1880 1198 1202 1615 1207 1209 1212 1213 1214 1216 1217
1218 1220 1589 1221 1224 1230 1234 1235 1054 1241 1259 1139 1258 1260 1291
1001 1302 1303 1113 1375 1376 1385 1389 1391 1403 1404 1433 1434 1489 1492
1493 1663 1664 509 1769 1770 1500 1519 1520 1521 1522 1523 1524 1525 1526
1527 1528 1544 1546 1551 1552 1559 1560 1563 1564 1603 1670 1671 1738 1744
1757 1766 1767 1231 1809 1807 1814 1820 1826 1827 1828 1829 1830 1831 1835
1839 1847 1848 1849 1851 1852 1857 2230 1871 1872 1873 1874 1881 1171 1104
1087 1808 1943 1944 1969 1979 2056 2057 2058 2059 2060 2061 2062 2063 2064
2065 2066 2067 2068 2069 2070 2071 2072 2073 2135 2136 2137 2138 2139 2156
2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245
2246 2276 2277 2278 2327 2369 2370 2371 2381 2395 2400 2407 2408 2411 2441
2442 2484 2447 2448 2505 2520 2522 2515 2569 2570 2581 2582 2597 2598 1233
2435 2436 1284 1774 1423 1425 1736 1737 1739 1740 1741 1742 1743 1745 1773
1815 1816 1834 1967 1968 1997 1998 1999 2000 2002 1134 1161 1178 1179 1197
1300 1301 1407 1399 1490 1491 1137 1085 1086 1254 1255 2074 2075 2076 2077
2078 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153
2154 2155 2226 2227 2228 2229 2279 2280 2281 2282 2283 2284 2285 2286 2287
2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302
2303 2304 2305 2306 2307 2328 2331 2341 2342 2345 2346 2347 2353 2354 2355
2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2372 2393
2398 2399 2405 2410 2565 2566 2575 2588 2654 1887

-Joe


> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Matthew
> Jonkman
> Sent: Friday, December 03, 2004 10:17 AM
> To: Joe Patterson
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Suggestions for new attack response rules
>
>
> Ahhh, well that tells you how closely I was reading the thread. :)
>
> Disregard. I'm still happy to do some testing if you get the idea
> complete.
>
> Matt
>
> Joe Patterson wrote:
>
> > The problem is that it's not just a new snort rule.  It's a new
> snort rule
> > *plus* a modification to a whole bunch of existing snort rules.
>  The rules
> > as I wrote them will never trigger, because there's nothing to
> ever set that
> > flowbit (and snort will helpfully warn you that you have a rule that's
> > checking for a flowbit that no rule ever sets)
> >
> > -Joe
> >
> >
> >>-----Original Message-----
> >>From: Matthew Jonkman [mailto:matt at ...2436...]
> >>Sent: Friday, December 03, 2004 8:54 AM
> >>To: Joe Patterson
> >>Cc: snort-sigs at lists.sourceforge.net
> >>Subject: Re: [Snort-sigs] Suggestions for new attack response rules
> >>
> >>
> >>I would go along with this myself. I tend to err on the side of more
> >>information being a good thing, up to the threshold of saturation of
> >>course.
> >>
> >>Lets put these up in the bleeding rules for a while and see how they go
> >>eh? Worst thing that can happen is get get slammed with falses for a few
> >>minutes and have to take them back out.
> >>
> >>I'll post the rule below shortly. Any ideas for modification welcome.
> >>
> >>Matt
> >>
> >>Joe Patterson wrote:
> >>
> >>
> >>>I wouldn't say it necessarily breaks down.  In situation 1, you
> >>
> >>don't care,
> >>
> >>>because you don't care about these rules anyway.  In situation 2, an
> >>>attacker has to, in their initial attack, not only compromise
> >>
> >>the server,
> >>
> >>>but cause the server to change its handling of the cgi that it
> >>
> >>is *currently
> >>
> >>>running* to non-parsed-header mode, and then send back a
> 4xx/5xx header.
> >>>That may be possible, but I would say that it *really* raises the bar.
> >>>Situation 3 raises the bar a bit less.  An attacker has to do
> >>
> >>all the normal
> >>
> >>>work of compromising a server, and has to make sure that all of
> >>
> >>the replies
> >>
> >>>he gets include that custom 404 message.
> >>>
> >>>The primary utility I'm trying to get to here is this.  Looking
> >>
> >>at one of my
> >>
> >>>apache webservers, in the last two weeks I've gotten 70 requests for
> >>>/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir.  They all got a 400
> >>>response.  They all triggered an IDS alert.  Those alerts
> weren't really
> >>>false positives.  It was a real attack, but the server wasn't
> >>
> >>vulnerable.  I
> >>
> >>>certainly can't ignore those alerts, but I can take my time
> >>
> >>getting to them.
> >>
> >>>However, if someone were to (unbeknownst to me) stick an
> >>
> >>unpatched IIS box
> >>
> >>>in the DMZ, and that same request came in and received a 200 OK
> >>
> >>response, I
> >>
> >>>would absolutely want to know about it immediately.  That's
> >>
> >>what I see as
> >>
> >>>the primary value of these rules.
> >>>
> >>>-Joe
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: snort-sigs-admin at lists.sourceforge.net
> >>>>[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Jason
> >>>>Sent: Thursday, December 02, 2004 10:33 PM
> >>>>To: Joe Patterson
> >>>>Cc: Brian; snort-sigs at lists.sourceforge.net
> >>>>Subject: Re: [Snort-sigs] Suggestions for new attack response rules
> >>>>
> >>>>
> >>>>The concept breaks down the moment the attacker instructs the
> server to
> >>>>return a HTTP 404 error document with the content you need and then
> >>>>spawns a shell to you.
> >>>>
> >>>>Joe Patterson wrote:
> >>>>
> >>>>
> >>>>>It's not simple, and it's certainly not perfect.  (if we only allowed
> >>>>>perfect rules, we'd have a lot fewer rules than we do)  But
> >>>>
> >>>>even given that,
> >>>>
> >>>>
> >>>>>I think it could be usefull.  The primary utility lies in setting the
> >>>>>flowbit for the http-based attacks.
> >>>>>
> >>>>>Given the following situations:
> >>>>>1) you don't have any web servers, you're just monitoring
> >>>>
> >>>>traffic out to the
> >>>>
> >>>>
> >>>>>net in general.
> >>>>>Then you would probably want to disable the 4 attack response
> >>>>
> >>>>rules, because
> >>>>
> >>>>
> >>>>>the web servers "out there" aren't under your control, and you don't
> >>>>>necessarily care if they're actually compromised, you
> primarily care if
> >>>>>someone in the network that *is* under your control is trying
> >>>>
> >>>>to hack other
> >>>>
> >>>>
> >>>>>people's boxes.
> >>>>>
> >>>>>2) you do have webservers, all of which are well-behaved and
> >>>>
> >>>>use http status
> >>>>
> >>>>
> >>>>>codes in appropriate ways.
> >>>>>Wonderful, now you'll not only know when people attack, but when they
> >>>>>succeed.
> >>>>>
> >>>>>3) you have webservers that aren't quite standards compliant.
> >>>>
> >>>>For instance,
> >>>>
> >>>>
> >>>>>I believe that IIS servers with a custom 404 page actually give
> >>>>
> >>>>a status of
> >>>>
> >>>>
> >>>>>200, but return the custom 404.
> >>>>>This isn't too big a deal.  Edit the 4 signatures for attack
> >>>>
> >>>>responses so
> >>>>
> >>>>
> >>>>>that they will match anything that isn't your custom 404
> page.  Perhaps
> >>>>>something like 'content:!"404 page not found"' or whatever suits your
> >>>>>environment.
> >>>>>
> >>>>>4) most of your webservers are compliant, but one or two are
> >>>>
> >>>>smoking crack,
> >>>>
> >>>>
> >>>>>and can't be trusted to return meaningful status codes for anything.
> >>>>>Add a suppression by_src for these rules, and only care about
> >>
> >>the alerts
> >>
> >>>>>from your more well-behaved webservers.
> >>>>
> >>>>>I just can't think of a case where these rules would actually
> >>>>
> >>>>be *bad*, and
> >>>>
> >>>>
> >>>>>there are certainly quite a few places where they would be usefull.
> >>>>>
> >>>>>I guess the alternative is to use oinkmaster with a
> >>>>
> >>>>modification map for the
> >>>>
> >>>>
> >>>>>1K or so rules that I think need it to add the flowbits chunk.
> >>>>
> >>>>But I felt
> >>>>
> >>>>
> >>>>>like this was a usefull enough thing that it would be worth
> >>>>
> >>>>adding to the
> >>>>
> >>>>
> >>>>>main distribution.
> >>>>>
> >>>>>-Joe
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>>-----Original Message-----
> >>>>>>From: Brian [mailto:bmc at ...95...]
> >>>>>>Sent: Wednesday, December 01, 2004 4:02 PM
> >>>>>>To: Joe Patterson
> >>>>>>Cc: snort-sigs at lists.sourceforge.net
> >>>>>>Subject: Re: [Snort-sigs] Suggestions for new attack response rules
> >>>>>>
> >>>>>>
> >>>>>>On Wed, Dec 01, 2004 at 03:51:25PM -0500, Joe Patterson wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>alert tcp any $HTTP_PORTS -> any any (msg:"ATTACK-RESPONSES
> >>>>>>
> >>>>>>User attack OK
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>>response"; flow:from_server,established; pcre:"/^HTTP/1.1
> >>
> >>(2|3)\d\d/";
> >>
> >>>>>>>flowbits:isset,http-user-attack; classtype:successful-user;)
> >>>>>>
> >>>>>>Yes, I've thought about this for a long time.  Its not anywhere near
> >>>>>>as simple as you suggest.
> >>>>>>
> >>>>>>Look at how nessus handles error codes.  MANY websites no longer use
> >>>>>>200s for "good", and 300s & 400s for various errors, they
> use 200s for
> >>>>>>EVERYTHING.
> >>>>>>
> >>>>>>Sure, you might get a good feeling for the one or two sites you are
> >>>>>>looking at for reducing false positives.  In the rest of the world,
> >>>>>>just looking at HTTP codes is NOT enough.
> >>>>>>
> >>>>>>Brian
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>
> >>
> >>
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://productguide.itmanagersjournal.com/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman, CISSP
> Senior Security Engineer
> Infotex
> 765-429-0398 Direct Anytime
> 765-448-6847 Office
> 866-679-5177 24x7 NOC
> my.infotex.com
> www.offsitefilter.com
> --------------------------------------------
>
>
> NOTICE: The information contained in this email is confidential
> and intended solely for the intended recipient. Any use,
> distribution, transmittal or retransmittal of information
> contained in this email by persons who are not intended
> recipients may be a violation of law and is strictly prohibited.
> If you are not the intended recipient, please contact the sender
> and delete all copies.
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>





More information about the Snort-sigs mailing list