Detecting Binary Content

Problem

How can I detect when binary content is being used and downloaded on my network(s)?

Solution

The content keyword can detect when binary data is traveling over your network. The content keyword matches both ASCII text and HEX-encoded raw packet data.

For example, this rule triggers when the Napster client application is downloaded:

alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:7;)

For some organizations, going to the Napster site may be allowed as long as files aren't downloaded. Snort can detect when the policy is actually broken. The following rule triggers on the attempted download of the file itself and its ASCII name:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"P2P Napster client installer"; flow:established; content:"NapsterSetup.exe"; classtype:policy-violation; sid:15543; rev:1;)

Discussion

While rules that detect ACSII content are easier to write, they're open to all kinds of IDS evasion attacks such as character encoding, extra spacing, and even other languages. It is in the best interest of the rule writer to try to find a HEX string in the binary content of the packets for accuracy. Not only are HEX strings faster to detectas Snort doesn't need to perform ASCII translation on the packetbut they are also more accurate alarms.

Finally, if you need some examples of rules that fire for HEX content with explanations, check out the archives of the Snort-sigs list. The list is a good resource for community-created rules and for help, if you're having trouble creating rules or detecting traffic.

See Also

P2P rules at http://www.bleedingsnort.com