Countermeasures from Rules

Problem

My web/FTP/SMTP server(s) are logging attack attempts that look like they should be detected by the Snort rules, but Snort isn't seeing them. What is happening?

Solution

This is especially common when detecting HTTP traffic. With the liberal use of utf-8, Unicode, and even FrontPage HTTP extensions, it is child's play to avoid detection by some rules. For example, the evasion attack in the previous recipe would never have been detected by the default Snort rule without the http_inspect preprocessor.

Discussion

The preprocessors play an important role in allowing the rules engine to correctly identify attack traffic. Another suggestion, especially for encoded traffic, is to detect variations on an attack using the new rule keyword pcre (Perl-compatible regular expressions). For more information on creating and using regular expressions, check out Mastering Regular Expressions (O'Reilly). This will not only give you several good reference examples, but also devotes several chapters to the use of regular expressions in Perl. The following rule from Bleedingsnort.com detects most variants of Windows shell access:

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Attempt to access SHELL:"; pcre:"/ (((URL|SRC|HREF|LOWSRC)[s]*=)|(url[s]*[(]))[s]*['"]*shell [:]/i"; classtype:web-application-attack; sid:2001100; rev:1;)

Even using regular expressions, an attacker could still send a packet with %115%104%101%108%108 instead of shell to get past this rule. You can work around this by tuning the Snort sensor beyond the default http_inspect parameters to convert hex to ASCII normalization.

See Also

H.D. Moore's metasploit framework (http://www.metasploit.org) for some tools to test evasion techniques

Koziol, Jack, et al. The Shellcoder's Handbook. New York: Wiley, 2004.

Snort-sigs mailing list

Friedl, Jeffrey E. F. Mastering Regular Expressions. Sebastopol, CA: O'Reilly, 2002.

Testing Rules

Категории