What Is an Intrusion?

At the scene of a crime, one of the first tasks of the forensic evidence technician is the gathering of fingerprints. These fingerprints can be used to determine the identity of the criminal. Just as in criminal forensics, network forensics technicians gather fingerprints at the scene of a computer crime. The fingerprints are extracted from the victim computer's log and are known as signatures or footprints. Almost all exploits have a unique signature. Let's look at the signatures of our three: Directory Traversal, CodeRed, and Nimda.

• Directory Traversal footprint The Directory Traversal exploit or dot "../" could be used against IIS 4.0 and 5.0 if extended Unicode characters were used to represent the "/" and "\". For example, if a hacker entered the string in Figure 4.4 into his browser, the contents of a directory on the victim's computer would be displayed on the hacker's system. The important part of this example is the uniqueness of the pattern /..%c1. The pattern can be used as a digital fingerprint or signature/footprint in an IDS.

http://Victim.com/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir

• CodeRed footprint For the CodeRed exploit, the system footprint was provided by Advisory CA-2001-19 and stated that the CodeRed worm activity can be identified on a machine by the presence of the entry in the Web server log files (Figure 4.5). The footprint of Figure 4.5 is extremely important from an intrusion detection point of view. It represents the information necessary to detect the intrusion before it can do damage to your network.

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6805%ucbd3% u7801  etc.

• Nimda footprint e numerous footprints described in the CERT Advisory CA-2001-26 read like a dictionary of exploits. Within Figure 4.6 are displayed a few of the exploits delivered in its payload. When one is building an intrusion detection rule, Nimda's system footprints offer many signatures from which to choose. Furthermore, because the zombie machines or hacker scripts cycle through the complete list, any entry could be used to detect the intrusion. The most obvious one to use (from a security administrator's point of view) is GET /scripts/root.exe. GET root.exe in an HTML request is very suspicious, especially on a Windows machine.

GET /scripts/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/ winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c….%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c….%5c../winnt/system32/cmd.exe?/c+dir