This document provides examples and explanations of rules options and techniques used in Snort intrusion detection rules. It begins with an introduction and overview of the topics to be covered. It then provides examples of rules that detect buffer overflows, protocol decoding, and the Kaminsky DNS cache poisoning bug. For each rule example, it breaks down the rule components and explains what each option is doing. It also provides additional explanations and examples for specific rule options like content, isdataat, byte_test, byte_jump, and PCRE. The document aims to explain both common and non-obvious uses of rule options through examples of real Snort rules.
How to Leverage Go for Your Networking NeedsDigitalOcean
Watch this Tech Talk: https://do.co/video_singuva
Highlights from Sneha Inguva’s networking journey through Go. Sneha discusses the useful packages, key learnings, and struggles faced while building a variety of networking services within and outside of DigitalOcean. Walk away with a clear understanding of how to specifically leverage Go for your own networking needs.
About the Presenter
Sneha Inguva is a Software Engineer on the Networking team at DigitalOcean. She enjoys building cloud products by day and debugging ominous context-canceled errors by night. In her spare time, she professionally lounges around with her cat.
New to DigitalOcean? Get US $100 in credit when you sign up: https://do.co/deploytoday
To learn more about DigitalOcean: https://www.digitalocean.com/
Follow us on Twitter: https://twitter.com/digitalocean
Like us on Facebook: https://www.facebook.com/DigitalOcean
Follow us on Instagram: https://www.instagram.com/thedigitalocean/
We're hiring: http://do.co/careers
This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
How to Leverage Go for Your Networking NeedsDigitalOcean
Watch this Tech Talk: https://do.co/video_singuva
Highlights from Sneha Inguva’s networking journey through Go. Sneha discusses the useful packages, key learnings, and struggles faced while building a variety of networking services within and outside of DigitalOcean. Walk away with a clear understanding of how to specifically leverage Go for your own networking needs.
About the Presenter
Sneha Inguva is a Software Engineer on the Networking team at DigitalOcean. She enjoys building cloud products by day and debugging ominous context-canceled errors by night. In her spare time, she professionally lounges around with her cat.
New to DigitalOcean? Get US $100 in credit when you sign up: https://do.co/deploytoday
To learn more about DigitalOcean: https://www.digitalocean.com/
Follow us on Twitter: https://twitter.com/digitalocean
Like us on Facebook: https://www.facebook.com/DigitalOcean
Follow us on Instagram: https://www.instagram.com/thedigitalocean/
We're hiring: http://do.co/careers
This talk focuses on various ways to attempt to be as much like normal users/behavior/traffic as possible. We also demonstrate the limitations of signature-based detection systems and then discuss a prototype Remote Access Tool (RAT) that is designed to blend in with normal activity.
Presented at CodeMash, January 8, 2014
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
Презентация с форума http://hackit-ukraine.com/
Владимир Гарбуз
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more
Ст. Инженер по Безопасности Приложений, HP LM Security Center of Excellencet
О спикере: Лидер отделения OWASP Odessa. 5+ лет в информационной безопасности с профильным обучением и предыдущим опытом в разработке ПО.
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
For a college class in Network Security Monitoring at CCSF.
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
Vulnerabilities are the same things as common errors. Why do we distinguish them? Do this, if you want to earn more money. CWE - Common Weakness Enumeration. CVE - Common Vulnerabilities and Exposures. Now using Valgrind you're searching not for a memory leak, but for a denial of service.
In most of our articles about project checks, we mention that bugs are found by the PVS-Studio static code analyzer. In certain cases – when dealing with projects of a complex structure – it is this particular analyzer that is needed. However, many developers will also appreciate its lightweight version, the CppCat analyzer. In this connection, we decided to use CppCat this time, when checking the TortoiseGit project.
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
Презентация с форума http://hackit-ukraine.com/
Владимир Гарбуз
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more
Ст. Инженер по Безопасности Приложений, HP LM Security Center of Excellencet
О спикере: Лидер отделения OWASP Odessa. 5+ лет в информационной безопасности с профильным обучением и предыдущим опытом в разработке ПО.
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
For a college class in Network Security Monitoring at CCSF.
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
Vulnerabilities are the same things as common errors. Why do we distinguish them? Do this, if you want to earn more money. CWE - Common Weakness Enumeration. CVE - Common Vulnerabilities and Exposures. Now using Valgrind you're searching not for a memory leak, but for a denial of service.
In most of our articles about project checks, we mention that bugs are found by the PVS-Studio static code analyzer. In certain cases – when dealing with projects of a complex structure – it is this particular analyzer that is needed. However, many developers will also appreciate its lightweight version, the CppCat analyzer. In this connection, we decided to use CppCat this time, when checking the TortoiseGit project.
Using static code analysis tools and detecting and fixing identified issues is very important in order to improve the quality and security of the code baseline.
CodeChecker (https://github.com/Ericsson/codechecker ) is an open source analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.
It provides a number of additional features:
- Good visualization of problems in the code
- Overview of results for the whole product
- Filtering
- Cross translational unit analysis and statistical checkers support
- Suppression handling
- And many others...
These features simplify the follow up of results and make it more efficient.
In the video, an overview of features and capabilities of CodeChecker is demonstrated as well as a description and recommendation of how to introduce new tools.
Recording of the demo: https://youtu.be/sQ2Qj0kHoRY published in C++ Dublin User group https://www.youtube.com/channel/UCZ4UNE_1IMUFfAhcdq7CMOg/
Useful links:
open source project: https://github.com/Ericsson/codechecker
http://codechecker-demo.eastus.cloudapp.azure.com/login.html#
demo/demo
https://codechecker.readthedocs.io/en/latest/
http://clang-analyzer.llvm.org/available_checks.html
http://clang.llvm.org/extra/clang-tidy/checks/list.html
Other related videos about Clang Static Analyzer and CodeChecker that goes a bit more deeply into how Clang Static Analyzer works:
Clang Static Analysis - Meeting C++ 2016 Gabor Horvath
https://www.youtube.com/watch?v=UcxF6CVueDM
CppCon 2016: Gabor Horvath “Make Friends with the Clang Static Analysis Tools"
https://www.youtube.com/watch?v=AQF6hjLKsnM
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderAndrey Karpov
We regularly check open-source C/C++ projects, but what we check are mostly projects developed in the Visual Studio IDE. For some reason, we haven't paid much attention to the Embarcadero C++ Builder IDE. In order to improve this situation, we are going to discuss the WinSCP project I have checked recently.
P.S. C++ Builder support in PVS-Studio had been dropped after version 5.20. If you have any questions, feel free to contact our support.
Static analysis: looking for errors ... and vulnerabilities? Andrey Karpov
The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.
Static analysis Advantages:
Early detection of problems.
Full code coverage.
Great at finding typos and copy-paste errors.
Etc.
Apache HTTP Server project continues to develop, and so does PVS-Studio analyzer, growing even more powerful with every new version. Let's see what we've got this time.
Linux Kernel, tested by the Linux-version of PVS-StudioPVS-Studio
Since the release of the publicly available Linux-version of PVS-Studio, it was just a matter of time until we would recheck the Linux kernel. It is quite a challenge for any static code analyzer to check a project written by professionals from all around the world, used by people in various fields, which is regularly checked and tested by different tools. So, what errors did we manage to find in such conditions?
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
This presentation has as objective to explain how 0day are found through Fuzzing technique. I’ll be explaining how you can create a fuzzer, what are types of fuzzing and types of targets. And how you can find a Buffer Overflow vulnerability and write your own exploit. PoC demos included, of course! (include 2 movies PoC).
100 bugs in Open Source C/C++ projects Andrey Karpov
This article demonstrates capabilities of the static code analysis methodology. The readers are offered to study the samples of one hundred errors found in open-source projects in C/C++.
Rechecking TortoiseSVN with the PVS-Studio Code AnalyzerAndrey Karpov
We gave the TortoiseSVN developers a free registration key for some time so that they could check their project. While they haven't utilized it yet, I've decided to download the TortoiseSVN source codes and check it myself. My interest is obvious: I want to make another article to advertise PVS-Studio.
We already checked the TortoiseSVN project long ago. It was done at the same time as PVS-Studio 4.00 was released, which for the first time included diagnostic rules for general analysis.
This article demonstrates capabilities of the static code analysis methodology. The readers are offered to study the samples of one hundred errors found in open-source projects in C/C++. All the errors have been found with the PVS-Studio static code analyzer.
Performs code analysis in C, C++, C++/CLI, C++/CX, C#. Plugin for Visual Studio 2010-2015. Integration with SonarQube, QtCreator, CLion, Eclipse CDT, Anjuta DevStudio and so on. Standalone utility. Direct integration of the analyzer into the systems of build automation and the BlameNotifier utility (e-mail notification). Automatic analysis of modified files. Great scalability. Why do people need code analyzers?
Open Source Verification under a Cloud (OpenCert 2010)Peter Breuer
Slides of my talk on "Open Source Verification under a Cloud " at OpenCert in Pisa, Italy, September of 2010. The paper appeared in Electronic Communications of the European Association of Software Science and Technology, vol. 33, and a preprint is at http://www.academia.edu/1413629/Open_Source_Verification_under_a_Cloud .
Interesting Observations (7 Sins of Programmers); The compiler is to blame; Archeological strata; The last line effect; Programmers are the smartest; Security, security! But do you test it?; You can’t know everything; Seeking a silver bullet.
En esta presentación se muestran un conjunto de librerías y frameworks en Python para poder realizar pruebas tanto funcionales com ono funcionales, a diferentes niveles (unitario, aceptación y e2)
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
2. What madness today?
Learn by reviewing actual VRT published rules
Highlight potential issues with certain rule
options
Break down some common rule constructs
• Buffer overflow detection
• Protocol decoding
Abuse a VRT team member with the “replace”
functionality
2
3. What is a DQOH?
Matthew Olney
(irc nick: dqoh)
VRT Security Analyst for 2 years
Primary Responsibilities:
• Snort rules generation
• QA for SEU and VRT rules feed
• Agent of Karma
Past life:
• Network and Security Engineer
• Cisco
• Snort
• Open source security products
3
5. Strap In, the Bus is Leaving
This topic could be a multi-day course (and, in some
cases it is)
So I’m assuming:
• You’ve seen rules and know generally how they are laid out
• You can reference the Snort Users Manual for general rules
question (I’ll cite sections as appropriate)
And I’m providing:
• Non-obvious information on rules options
• Usage cases from real snort rules
• Information on rules options as they occur
Don’t Panic
5
7. Bus Stop: Content Option
Content can be modified as non-relative:
• Content:”A”; depth: 3; offset: 2;
• Move 2 bytes into the payload and look for “A” within the next 3 bytes.
Content can be modified as relative:
• Relative matches are made from the DOE pointer (Usually the end of the
previous match)
• Content:”A”; Content: “B”; distance: 4; within: 5;
• Find “A”. Then move 4 bytes from the end of “A” and find “B” within the next
5 bytes.
Content can be negative (that is alert if this isn’t seen):
• Content:!”A”; depth: 3; offset: 2;
Content can be made case insensitive using the nocase;
modifier.
Check out sections 3.5.1 – 3.5.7 in the Snort Users Manual for more
information.
7
8. Bus Stop: DOE & relative content example
Relative contents use the DOE pointer
• Content:”ABC”;
• Places DOE after C
• Content: “X”; distance: 2; within: 5;
• Moves the pointer 2 bytes (First black arrow)
• Looks at the next 5 bytes for an “X” (Orange arrow)
• Places the DOE pointer after the X (red arrow)
After first content match
A
B
C
X
Second content match
X
00
03
X
Y
Final DOE location
8
Z
9. Example 1: Buffer Overflow Detection (sid: 13916)
(flow:established, to_server; content:"username="; nocase;
isdataat:450,relative; content:!"&"; within:450; content:!"|0A|";
within:450;)
flow: established, to_server;
• Used to reduce false positives and improve performance.
• Flow is fairly straight forward, but check out Section 3.6.9 for full
details
content:”username=“;
• Has the “nocase” modification to allow for any type of match
• pattern can be anywhere in the payload.
This pattern match will be the anchor for the rest of
our detection
9
10. Example 1: Isdataat usage…
(flow:established, to_server; content:"username="; nocase;
isdataat:450,relative; content:!"&"; within:450; content:!"|0A|";
within:450;)
For content:!””; checks involving buffer overflows, we need to
make sure the data is there to be checked.
• Negative content matches look for the absence of data, so even if
•
•
we run out of data, we still are successful
isdataat: verifies that there is data within the specified distance.
The check can be relative or non-relative
Format is: isdataat:<int>[,relative];
• Check out section 3.5.12 for more information on isdataat:
isdataat: 450, relative;
• The anchor (username=) is not at a fixed location, so we must make the size
check relative to this match
• Relative keywords makes the 450 byte check from the DOE.
10
10
11. Example 1, continued
(flow:established, to_server; content:"username="; nocase;
isdataat:450,relative; content:!"&"; within:450; content:!"|0A|";
within:450;)
We have now verified that:
• The traffic is directed to a server, and the TCP session is established
• The string “username=“ is in the payload
• That there is sufficient space for the attack to be delivered
For this protocol on this server, there are two terminating
characters, “&” and line feed (LF) x0A. We need to check that
neither occur within the next 450 bytes:
• content:!"&"; within:450;
• content:!"|0A|"; within:450;
If we, from the anchor point (username=), have 450 bytes
available, and we don’t reach any terminating characters, then
we will alert
11
11
12. Bus Stop: dsize
dsize tests the payload size
• format: dsize: [<>] <number> [<><number];
• dsize: 300<>400
You might be tempted to use dsize, rather than
isdataat as a size test for buffer overflows. (Spoiler:
Don’t do this)
• dsize automatically bails on any packet that is part of a
reassembled stream.
• This leads to a false-negative situation for certain buffer
overflow attacks delivered over more than one packet.
• Dsize does not handle relative checks
dsize is designed to test abnormally sized packets,
and isdataat should be used for all other purposes.
12
12
14. Example 2: Buffer Overflow Detection (sid: 9813)
(flow:established,to_server; content:"CONNECT_OPTIONS=";
nocase; isdataat:900,relative;
pcre:"/CONNECT_OPTIONSx3D[^x20x0Ax0Dx00]{900}/smi";)
content:”CONNECT_OPTIONS=“; nocase;
• nocase argument indicates that the pattern can be matched in any
combination of either lower or upper case characters.
isdatat:900,relative;
• Again, staring at the DOE, verify that there are 900 bytes available for
detection
• Note, this is not required for PCRE as it is for negative content checks.
•
•
Content:!”A”; within: 40; checks for the absence of an A in 40 bytes, or end of packet.
pcre:”/[^A]{40}/”; looks for 40 consecutive characters that are not “A”.
• This check provides for speed, in the case where there is not sufficient
payload left for the buffer overflow attack to happen, we bail on this check,
rather than calling PCRE for no reason.
•
Always find ways to bail before running a PCRE
Now, about that PCRE (remember, don’t panic…)
14
14
15. Example 2, continued
pcre:"/CONNECT_OPTIONSx3D[^x20x0Ax0Dx00]{900}/smi";)
This is actually a fairly straight forward example of pcre:
The format is pcre:”/REGEX/modifiers”;
The x statement means you are providing a hexadecimal
number to check
•
•
•
•
•
x3d is the ascii code for “=“
x20 is the ascii code for space
x0a is the ascii code for line feed
x0d is the ascii code for carriage return
x00 is the null byte
The [^x20x0Ax0dx00] is a character class declaration, and the
‘^’ means not. That is, PCRE is instructed to match on
characters that are not in this class.
The {900} means do this match 900 times, so find 900 characters
that are not in the character class.
15
15
16. Example 2, final notes
/smi
• i = case insensitive search
• s = include newlines in the dot (.) metacharacter
• m = metacharacters ^ and $ can match before and after a
newline, as well as the beginning and the end of the buffer
• Check 3.5.13 for more modifiers
PCRE can do some powerful things
• And computationally expensive
• And easy to mess up
• Make sure you run it only when you have to
• Test your pcre (pcretest) and optimize.
• Then do it again.
16
16
18. Example 3: Content and the fast pattern matcher
flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16;
content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00
00 00 00|"; depth:4; offset:8;
Three four-byte patterns are in this rule.
• The rule writer chose a specific sequence to speed up detection.
content:"|00 01 87 99|"; depth:4; offset:16;
• Absolute 4 byte match, placed at beginning for more unique
“longest, first match”
content:"|00 00 01 01|"; within:4; distance:4;
• Relative to the previous match. Note that this could also have been depth: 4;
offset: 24; instead.
• Will act as the anchor for our other detection
content:"|00 00 00 00|"; depth:4; offset:8;
• Will be the final validation that our packet is an attack.
18
18
19. Bus Stop: byte_jump
Usage:
• byte_jump: <bytes_to_convert>, <offset> [,relative] [,multiplier <multiplier
value>] [,big] [,little][,string][,hex] [,dec] [,oct] [,align] [,from_beginning];
• Check out 3.5.15 for details.
By way of example:
• Content:”ABC”;
• Places DOE after C
• Byte_Jump: 2, 2, relative;
• Moves the pointer 2 bytes (First black arrow)
• Reads two bytes
• Jumps from the end of the read (Second black arrow)
After Content
A
19
19
B
C
X
relative byte jump
X
00
03
Final DOE Location
X
Y
Z
20. Example 3: Protocol parsing with byte_jump
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
Byte jump is often used to parse length encoded data.
Here we have two dynamically sized data fields we need to jump
over to find the data we need (the same byte_jump structure is
used for both data blocks):
• 4 bytes are read starting 4 bytes from the DOE.
• This protocol requires that data be stored on 4-byte boundaries. The
•
•
‘align’ keyword tells snort to round jumps as necessary to handle
this.
The DOE is then moved the calculated number of bytes
This process is repeated to jump over the second dynamically sized
data field.
By decoding the protocol we are now 20 bytes from a 4 byte size
field that declares how large the target field is.
20
20
21. Bus Stop: byte_test
Usage:
• byte_test: <bytes to convert>, [!]<operator>, <value>, <offset> [,relative]
[,<endian>] [,<number type>, string];
• Section 3.5.14 details the byte_test option.
By way of example:
• Content:”ABC”;
• Places DOE after C
• Byte_test: 2, <, 4, 2, relative;
•
•
•
•
Moves the pointer 2 bytes (First black arrow)
Reads two bytes
If the byte read is less than four, then the check is passed.
Note: The DOE does not move.
After Content
A
21
21
B
C
X
byte_test read
X
00
03
X
Y
Z
22. Example 3: Detecting the overflow
byte_test:4,>,1024,20,relative;
Using anchored content matches and a sequence of byte_jumps,
we now know we are 20 bytes from the target size field.
Our research shows that if that field is greater than 1024, then
the provided data will overflow a buffer in memory.
We use the above byte test to make the check:
• Read 4 bytes as a number, starting 20 bytes from the DOE
• If that number is greater than 1024, an attack most likely is underway
22
22
23. Example 4: Kaminsky DNS Bug detection
alert udp $EXTERNAL_NET 53 -> $HOME_NET any
(msg:"DNS large number of NXDOMAIN replies possible DNS cache poisoning"; byte_test:1,&,2,3;
byte_test:1,&,1,3; byte_test:1,&,128,2; threshold:type
threshold, track by_src, count 200, seconds 30;
metadata:policy balanced-ips alert, policy security-ips
alert, service dns; reference:cve,2008-1447;
reference:url,www.kb.cert.org/vuls/id/800113;
classtype:misc-attack; sid:13948; rev:2;)
23
23
24. Example 4: Detection notes for the Kaminsky Bug
A fairly in-depth technical review of both the
bug itself and the detection methodology is
available on the vrt white papers page:
• http://www.snort.org/vrt/docs/white_papers/
In short, the detection looks for ‘backscatter’
• Backscatter is the legitimate traffic that is formed in
•
24
24
response to attack traffic
The attack floods a server with random requests,
and the legitimate servers will send a flood of
NXDOMAIN (i.e. I have no idea what you’re talking
about…) responses.
26. Example 4: Why 3 separate byte_tests?
Byte_test: 1, &, 3, 3;
• On any byte_test, a non-zero response is a success, so all three cases below
will pass the byte test, even though only the case with both flags set is
correct
Both flags set
First flag set
Second flag set
Packet Value
00000011
00000001
00000010
Byte_test Value
00000011
00000011
00000011
Result
00000011
00000001
00000010
The proper approach is to check both values:
• byte_test: 1, &, 2, 3;
• byte_test: 1, &, 1, 3;
The final byte_test ensures the packet is a response:
• byte_test:1,&,128,2;
26
26
27. Example 4: Thresholding
threshold:type threshold, track by_src, count 200,
seconds 30;
Thresholding is commonly used while tuning the IDS.
Thresholding is discussed in section 3.8 of the Snort Users
Manual
• First packet starts the window
• Each additional packet checks for expiration and increments the counter
The thresholding is actually a critical part of the detection
methodology:
• The actual attack would generate a huge volume of legitimate
NXDOMAIN responses.
In this case, we are looking for 200 NXDOMAIN responses within
a 30 second window.
27
27
28. Example 4: Thresholding
threshold:type threshold, track by_src, count 200,
seconds 30;
In this case, we are looking for 200 NXDOMAIN responses within
a 30 second window.
The thresholding is actually a critical part of the detection
methodology:
• The actual attack would generate a huge volume of legitimate
NXDOMAIN responses.
Thresholding is discussed in section 3.8 of the Snort Users
Manual
• First packet starts the window
• Each additional packet checks for expiration and increments the counter
28
28
29. Example 5: Let’s mess with Alex
This is Alex!
Alex is one of the rule
writers here in the VRT
Alex spends some of his
free time as a webmaster
for the Mars Society
We love Alex
We love to mess with
people.
29
29
30. Example 5: The goal…
Targeting only Alex’s computer, let’s replace the banner on the
Mars Society website with one of our choosing.
30
30
31. Example 5: In a javascript file…
First we need to figure
out how the image is
being delivered.
So by looking through
some packet captures,
we came across this
gem...
We need to replace:
• http://www.marssociety.org/port
al/logo.jpg
• With a file of our choosing...
31
31
#portal-logo {
background:
url(http://www.marssociety.org/
portal/logo.jpg) no-repeat;
border: 0;
margin: 0.75em 0em 0.75em
1.5em;
padding: 0;
}
32. Example 5: Content/Replace
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $ALEXPC any
(msg:”WE THINK ITS FUNNY”; flow: established, to _client;
content:”http://www.marssociety.org/portal/logo.jpg”;
replace:”http://vrt-app-01/imagemakeevenlongerr.jpg”;
classtype: successful-dos; sid: 100001;)
This rule replaces any instance of the logo.jpg string inbound to
Alex’s box with the link to our file (hosted on a local box).
• Filename was modified to satisfy the equality of length requirement.
• This replace causes Alex’s browser to request the modified banner
and then insert it into the presented webpage.
Notes on the replace keyword:
• Detailed in section 1.5.3 of the Snort Users Manual
• The only thing to remember is the replace content must match the
length of the content it is replacing.
32
32
34. Example 5: Disclaimer
All modifications were done to traffic just
before it reached Alex’s computer
No exploits or attacks were used, only the
functionality of the Snort engine
We had advanced approval
34
34
35. Questions?
If you have questions in general:
• snort-sigs mailing list
• snort-users mailing list
• #snort on freenode irc
• research@sourcefire.com
If you have questions or comments on this
presentation:
• molney@sourcefire.com
35
35