IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Belaboring the point of FPs

From: "Graham, Robert (ISS Atlanta)" <rgraham () iss net>
Date: Fri, 15 Aug 2003 14:25:23 -0400
There is a lot of good points Marty makes about how Snort gives you the
exact results that you ask for. 

I don't mean to take this analogy too far, but I'd like to point out the
stories of genies-in-bottles who give you exactly what you ask for, but
not quite what you want. We all know the story of king Midas who wished
that everything he touched turned to gold -- but then realized the folly
of his ways when he hugged his daughter, which turned her to gold.

I'm not saying that this is a BIG problem for Snort, please don't read
too much into the analogy. It is indeed a good thing that Snort gives
you what you ask for -- I'm just trying to point that it isn't 100%
good.

The basic problem is that the Snort rules language is not expressive
enough to give you what you want. It's like going to a French restaurant
and ordering only those things on the menu that you can pronounce. I
have friends that order bagels at the morning because they are
embarrassed by their poor pronunciation of the French word "croissant".
It's true that the coffee shop is not at fault for delivering what the
customer asked for, but it doesn't mean the customer is completely happy
with his bagel.

I write lots of signatures for my IDS (RealSecure 7). I have written a
clone of Snort (Trons). Most of the signatures that I write cannot be
expressed in the Snort rules language. For example, I put an IMAP
protocol-decode on port 143 that explicitly recognizes what an e-mail
message is, and therefore won't match any patterns inside it (unless, of
course, those patterns are supposed to be for e-mail messages).

You could certainly extend the Snort rules languages with plugins. The
'uricontent' keyword is a good example of a limitation with
pattern-matching that had to be resolved. You could certainly add a
plugin for IMAP that resolves the false-positive discussed below, but
the issue is that nobody has. Such problems can easily be solved within
the Snort architecture, it's just that when you get Snort today, such
problems are not solved.

Again, I'd like to point out that when you use my IDS, you'll get a set
of signatures that I wanted to give you. You can certainly add your own
with the Trons feature and other "protocol-field" capabilities we give
you, and you can sometimes adjust the signatures, but you DON'T have the
complete ability (like Snort) to arbitrarily change the signatures that
I wrote for you. As you can expect, since I wrote the signatures in a
specific way, I believe that you'll get what you 'want' better out of my
IDS than Snort, but it's certainly true that you have less ability to
'ask' my IDS to do something slightly different.


-----Original Message-----
From: Paul Schmehl [mailto:pauls () utdallas edu]
Sent: Monday, August 11, 2003 10:29 PM
To: focus-ids () securityfocus com
Subject: Belaboring the point of FPs


Marty, I'm not picking on you, honest I'm not.  I'm sitting here at
home, 
monitoring our DMZ snort, waiting for the RPC worm to hit, and sure
enough, 
I get a hit on sid 2123 - successful admin, cmd.exe.  So I think, yep, 
there's the first box to get infected.

Here's rule 2123:
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 
Microsoft cmd.exe banner"; flow:from_server,established;
content:"Microsoft 
Windows"; content:"(C) Copyright 1985-"; distance:0; content:"Microsoft 
Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; 
sid:2123; rev:1;)

Looks good, but....analysis of the three packets shows very quickly that

it's an FP.  The traffic is *from* our imap server on port 143 *to* an
off 
campus site.  Right direction, wrong alert.  The payload?  A bugtraq
post 
someone was reading about the worm.  I recognized it right away, because
I 
had just read the same post myself.  (No, the off campus address was not

me.)

An anomaly?  Not really.  I see these *every* time some new exploit
shows 
up.  List traffic triggers alerts, because the attack ports are either
not 
specified or by default include mail ports (POP3, IMAP and SMTP).  Now 
surely you will admit *those* are false positives?

Here's the payload (yeah, I know, more alerts :( ):

000 : 2A 20 36 39 31 36 20 46 45 54 43 48 20 28 46 4C   * 6916 FETCH (FL
010 : 41 47 53 20 28 5C 53 65 65 6E 29 20 42 4F 44 59   AGS (\Seen) BODY
020 : 5B 31 5D 20 7B 33 32 32 38 7D 0D 0A 0D 0A 6D 75   [1] {3228}....mu
030 : 6C 74 69 74 68 72 65 61 64 69 6E 67 20 26 6F 73   ltithreading &os
040 : 20 64 65 74 65 63 74 69 6F 6E 20 26 26 20 6D 61    detection && ma
050 : 63 72 6F 73 20 73 75 70 70 6F 72 74 2E 2E 2E 0D   cros support....
060 : 0A 0D 0A 65 78 70 6C 6F 69 74 20 63 61 6E 20 62   ...exploit can b
070 : 65 20 66 6F 75 6E 64 20 68 65 72 65 3A 20 20 77   e found here:  w
080 : 77 77 2E 63 72 6F 75 6C 64 65 72 2E 63 6F 6D 2F   ww.croulder.com/
090 : 68 61 78 6F 72 63 69 74 6F 73 2F 6B 61 68 74 32   haxorcitos/kaht2
0a0 : 2E 7A 69 70 0D 0A 0D 0A 0D 0A 65 78 61 6D 70 6C   .zip......exampl
0b0 : 65 3A 20 4B 61 48 54 2E 65 78 65 20 31 30 2E 31   e: KaHT.exe 10.1
0c0 : 30 2E 34 30 2E 30 20 31 30 2E 31 30 2E 32 35 35   0.40.0 10.10.255
0d0 : 2E 32 35 35 20 33 30 30 0D 0A 5F 5F 5F 5F 5F 5F   .255 300..______
0e0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F   ________________
0f0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F   ________________
100 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 0D 0A 20 20 20   ___________..
110 : 20 20 20 20 20 20 20 20 4B 41 48 54 20 49 49 20           KAHT II
120 : 2D 20 4D 41 53 53 49 56 45 20 52 50 43 20 45 58   - MASSIVE RPC EX
130 : 50 4C 4F 49 54 0D 0A 20 20 44 43 4F 4D 20 52 50   PLOIT..  DCOM RP
140 : 43 20 65 78 70 6C 6F 69 74 2E 20 4D 6F 64 69 66   C exploit. Modif
150 : 69 65 64 20 62 79 20 61 54 34 72 40 33 77 64 65   ied by aT4r@3wde
160 : 73 69 67 6E 2E 65 73 0D 0A 20 20 23 68 61 78 6F   sign.es..  #haxo
170 : 72 63 69 74 6F 73 20 26 26 20 23 6C 6F 63 61 6C   rcitos && #local
180 : 68 6F 73 74 20 20 40 45 66 6E 65 74 20 4F 77 6E   host  @Efnet Own
190 : 7A 20 79 6F 75 21 21 21 0D 0A 5F 5F 5F 5F 5F 5F   z you!!!..______
1a0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F   ________________
1b0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F   ________________
1c0 : 5F 5F 5F 5F 5F 5F 5F 5F 5F 5F 0D 0A 0D 0A 20 5B   __________.... [
1d0 : 2B 5D 20 54 61 72 67 65 74 73 3A 20 31 30 2E 31   +] Targets: 10.1
1e0 : 30 2E 34 30 2E 30 2D 31 30 2E 31 30 2E 32 35 35   0.40.0-10.10.255
1f0 : 2E 32 35 35 20 77 69 74 68 20 33 30 30 20 54 68   .255 with 300 Th
200 : 72 65 61 64 73 0D 0A 20 5B 2B 5D 20 53 63 61 6E   reads.. [+] Scan
210 : 20 49 6E 20 50 72 6F 67 72 65 73 73 2E 2E 2E 0D    In Progress....
220 : 0A 2D 20 43 6F 6E 6E 65 63 74 69 6E 67 20 74 6F   .- Connecting to
230 : 20 31 30 2E 31 30 2E 34 30 2E 34 0D 0A 20 20 20    10.10.40.4..
240 : 53 65 6E 64 69 6E 67 20 45 78 70 6C 6F 69 74 20   Sending Exploit
250 : 74 6F 20 61 20 5B 57 69 6E 32 6B 5D 20 53 65 72   to a [Win2k] Ser
260 : 76 65 72 2E 2E 2E 2E 20 46 41 49 4C 45 44 0D 0A   ver.... FAILED..
270 : 20 20 2D 20 43 6F 6E 6E 65 63 74 69 6E 67 20 74     - Connecting t
280 : 6F 20 31 30 2E 31 30 2E 34 30 2E 39 0D 0A 20 20   o 10.10.40.9..
290 : 20 53 65 6E 64 69 6E 67 20 45 78 70 6C 6F 69 74    Sending Exploit
2a0 : 20 74 6F 20 61 20 5B 57 69 6E 58 50 5D 20 53 65    to a [WinXP] Se
2b0 : 72 76 65 72 2E 2E 2E 2E 20 46 41 49 4C 45 44 0D   rver.... FAILED.
2c0 : 0A 20 20 2D 20 43 6F 6E 6E 65 63 74 69 6E 67 20   .  - Connecting
2d0 : 74 6F 20 31 30 2E 31 30 2E 34 30 2E 31 32 0D 0A   to 10.10.40.12..
2e0 : 20 20 20 53 65 6E 64 69 6E 67 20 45 78 70 6C 6F      Sending Explo
2f0 : 69 74 20 74 6F 20 61 20 5B 57 69 6E 58 50 5D 20   it to a [WinXP]
300 : 53 65 72 76 65 72 2E 2E 2E 2E 20 46 41 49 4C 45   Server.... FAILE
310 : 44 0D 0A 20 20 2D 20 43 6F 6E 6E 65 63 74 69 6E   D..  - Connectin
320 : 67 20 74 6F 20 31 30 2E 31 30 2E 34 30 2E 32 31   g to 10.10.40.21
330 : 0D 0A 20 20 20 53 65 6E 64 69 6E 67 20 45 78 70   ..   Sending Exp
340 : 6C 6F 69 74 20 74 6F 20 61 20 5B 57 69 6E 58 50   loit to a [WinXP
350 : 5D 20 53 65 72 76 65 72 2E 2E 2E 0D 0A 20 2D 20   ] Server..... -
360 : 43 6F 6E 65 63 74 61 6E 64 6F 20 63 6F 6E 20 6C   Conectando con l
370 : 61 20 53 68 65 6C 6C 20 52 65 6D 6F 74 61 2E 2E   a Shell Remota..
380 : 2E 0D 0A 0D 0A 4D 69 63 72 6F 73 6F 66 74 20 57   .....Microsoft W
390 : 69 6E 64 6F 77 73 20 58 50 20 5B 56 65 72 73 69   indows XP [Versi
3a0 : 3D 46 33 6E 20 35 2E 31 2E 32 36 30 30 5D 0D 0A   =F3n 5.1.2600]..
3b0 : 28 43 29 20 43 6F 70 79 72 69 67 68 74 20 31 39   (C) Copyright 19
3c0 : 38 35 2D 32 30 30 31 20 4D 69 63 72 6F 73 6F 66   85-2001 Microsof
3d0 : 74 20 43 6F 72 70 2E 0D 0A 0D 0A 43 3A 5C 57 49   t Corp.....C:\WI
3e0 : 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 3E 2E   NDOWS\system32>.
3f0 : 0D 0A 20 2D 20 43 6F 6E 6E 65 63 74 69 6F 6E 20   .. - Connection
400 : 43 6C 6F 73 65 64 0D 0A 20 2D 20 43 6F 6E 6E 65   Closed.. - Conne
410 : 63 74 69 6E 67 20 74 6F 20 31 30 2E 31 30 2E 34   cting to 10.10.4
420 : 30 2E 35 32 0D 0A 20 20 20 53 65 6E 64 69 6E 67   0.52..   Sending
430 : 20 45 78 70 6C 6F 69 74 20 74 6F 20 61 20 5B 57    Exploit to a [W
440 : 69 6E 58 50 5D 20 53 65 72 76 65 72 2E 2E 2E 20   inXP] Server...
450 : 46 41 49 4C 45 44 0D 0A 20 2E 20 2D 20 43 6F 6E   FAILED.. . - Con
460 : 6E 65 63 74 69 6E 67 20 74 6F 20 31 30 2E 31 30   necting to 10.10
470 : 2E 34 30 2E 35 30 0D 0A 20 20 20 53 65 6E 64 69   .40.50..   Sendi
480 : 6E 67 20 45 78 70 6C 6F 69 74 20 74 6F 20 61 20   ng Exploit to a
490 : 5B 57 69 6E 32 6B 5D 20 53 65 72 76 65 72 2E 2E   [Win2k] Server..
4a0 : 2E 0D 0A 20 2D 20 43 6F 6E 65 63 74 61 6E 64 6F   ... - Conectando
4b0 : 20 63 6F 6E 20 6C 61 20 53 68 65 6C 6C 20 52 65    con la Shell Re
4c0 : 6D 6F 74 61 2E 2E 2E 0D 0A 0D 0A 4D 69 63 72 6F   mota.......Micro
4d0 : 73 6F 66 74 20 57 69 6E 64 6F 77 73 20 32 30 30   soft Windows 200
4e0 : 30 20 5B 56 65 72 73 69 3D 46 33 6E 20 35 2E 30   0 [Versi=F3n 5.0
4f0 : 30 2E 32 31 39 35 5D 0D 0A 28 43 29 20 43 6F 70   0.2195]..(C) Cop
500 : 79 72 69 67 68 74 20 31 39 38 35 2D 32 30 30 30   yright 1985-2000
510 : 20 4D 69 63 72 6F 73 6F 66 74 20 43 6F 72 70 2E    Microsoft Corp.
520 : 0D 0A 0D 0A 43 3A 5C 57 49 4E 4E 54 5C 73 79 73   ....C:\WINNT\sys
530 : 74 65 6D 33 32 3E 65 78 69 74 0D 0A 0D 0A 20 2D   tem32>exit.... -
540 : 20 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6C 6F 73    Connection Clos
550 : 65 64 0D 0A 20 2D 20 43                           ed.. - C

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

------------------------------------------------------------------------
---
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: