Re: IDS with Case-Based Reasoning

From: Israel (israel_at_ditech.com.br)
Date: 08/31/05

  • Next message: Stefano Zanero: "Re: NADS ( was RE: IPS comparison)" 
    Date: Wed, 31 Aug 2005 09:46:06 -0300
To: focus-ids@securityfocus.com

    Hi,

    It's easy if you know the protocol to be converted. Only use a C
    structure and write the corresponding snort rules value into respective
    position. Empty positions can be filled with fake values, because if it
    was important would be in rule. It's irrelevant.

    Example:

    alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; ack:101058054; flags:A,12; seq:101058054; flow:stateless; reference:arachnids,445; classtype:misc-activity; sid:106; rev:8;)

    Fill TCP destination port with 1054, source port with 80, the tcp ack
    with 101058054, on ack flag, seq with 101058054.
    Fill the others fields with fake values. dst IP and src IP can be filled
    with 192.168.0.1, by example.

    Some ways exist to capture real packets. Tcpdump is a good way, but
    capture only tcp.
    I'm using libpcap, a C library, and I had good results.

    []'s

    Israel

    Sanjay Rawat wrote:

    > Hi Israel:
    > ok. it sounds well. but why do you want snort rules to be converted
    > into corresponding network packets? i may be missing something here.
    > it is also possible to take the tcpdump files corresponding to attacks
    > and use TcpReplay tool to inject those packets. then see which snort
    > rules get triggered. in this way, you will come to know the traffic
    > corresponding to (required) rules. Am I sounding some sense?
    >
    > regards
    > Sanjay
    >
    >
    >
    > At 07:43 PM 8/25/2005, Israel wrote:
    >
    >> Hi,
    >>
    >> In the beginning, I will use some known attacks logs, generated by
    >> known scans, how nmap, fingerprint and analyzing the TCP packet
    >> content. The strings in content are good attack indication.
    >> "wget%20" , "/bin/sh" are common strings used in server pages attacks.
    >> Common signatures can be found in snort rules. We can build malicious
    >> network packets to use in repository.
    >>
    >> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
    >> overflow /bin/sh"; flow:to_server,established; content:"/bin/sh";
    >> reference:bugtraq,2347; reference:cve,2001-0144;
    >> reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;)
    >> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
    >> overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90
    >> 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347;
    >> reference:cve,2001-0144; reference:cve,2001-0572;
    >> classtype:shellcode-detect; sid:1326; rev:6;)
    >> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
    >> overflow"; flow:to_server,established; content:"|00 01|W|00 00 00
    >> 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8;
    >> reference:bugtraq,2347; reference:cve,2001-0144;
    >> reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;)
    >>
    >> It's some examples found in exploit.rules file.
    >> Currently, I need somebody make a module that converts rules of snort
    >> to real network packets.
    >>
    >> =)
    >>
    >> Icya
    >>
    >>
    >> Sanjay Rawat wrote:
    >>
    >>> Hi Israel:
    >>> This is Sanjay. Its nice to hear about your project, based on CBR. i
    >>> will be happy to participate in discussion on points/problems, which
    >>> you may face during the project. to my understanding, the main issue
    >>> in CBR is to represent the known cases (in your case, attacks) in an
    >>> effective manner. I find good theoretical papers, but less real-life
    >>> implementations of CBR. Most of the applications are from medical
    >>> side. There are couple of papers, suggesting the use of CBR in IDS
    >>> (i dont remember the references at present, probably some googling
    >>> will do that). which attack repository, are you going to use- DARPA?
    >>>
    >>> best wishes and regards
    >>> Sanjay
    >>>
    >>> At 08:13 PM 8/24/2005, Israel wrote:
    >>>
    >>>> Hello,
    >>>>
    >>>> I'm developing a IDS project in my computer science graduation.
    >>>> It will be use Case-Based Reasoning and handle a repository with
    >>>> the malicious network log to generate responses.
    >>>> The libpcap is used to capture a network trafic.
    >>>> Have you suggestions to implementation?
    >>>> The software is under GPL license and I would like to invite
    >>>> interested peoples to program.
    >>>>
    >>>> Thanx
    >>>>
    >>>> Israel Rocha
    >>>>
    >>>>
    >>>> ------------------------------------------------------------------------
    >>>>
    >>>> Test Your IDS
    >>>>
    >>>> Is your IDS deployed correctly?
    >>>> Find out quickly and easily by testing it with real-world attacks
    >>>> from CORE IMPACT.
    >>>> Go to
    >>>> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >>>> to learn more.
    >>>> ------------------------------------------------------------------------
    >>>>
    >>>
    >>>
    >>> Sanjay Rawat
    >>> Senior Software Engineer
    >>> INTOTO Software (India) Private Limited
    >>> Uma Plaza, Above HSBC Bank, Nagarjuna Hills
    >>> PunjaGutta,Hyderabad 500082 | India
    >>> Office: + 91 40 23358927/28 Extn 422
    >>> Website : www.intoto.com
    >>> Homepage: http://sanjay-rawat.tripod.com
    >>>
    >>>
    >>>
    >>>
    >>
    >>
    >> ------------------------------------------------------------------------
    >> Test Your IDS
    >>
    >> Is your IDS deployed correctly?
    >> Find out quickly and easily by testing it with real-world attacks
    >> from CORE IMPACT.
    >> Go to
    >> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    >> learn more.
    >> ------------------------------------------------------------------------
    >>
    >
    > Sanjay Rawat
    > Senior Software Engineer
    > INTOTO Software (India) Private Limited
    > Uma Plaza, Above HSBC Bank, Nagarjuna Hills
    > PunjaGutta,Hyderabad 500082 | India
    > Office: + 91 40 23358927/28 Extn 422
    > Website : www.intoto.com
    > Homepage: http://sanjay-rawat.tripod.com
    >
    >
    >
    >
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Stefano Zanero: "Re: NADS ( was RE: IPS comparison)"