IPSIDS特征识别和签名或规则编写

1、IPS/IDS特征识别和签名或规则编写HYPERLINK2008年09月02日07:11IT规则或签名要素协议，源IP,目的IP源端口，目的端口，数据报方向,IP报文的TTL域,IP报文的TOS域,IP报文的分片ID域,IP报文的option域,IP报文的fragbits域(分片比特位),IP负载的长度,TCP的flags域，TCP报文的SEQ域，TCP报文的ACK域,ICMP报文的itype类型域,ICMP报文的icode代码域,ICMP报文的icmp_id回应消息ID域,ICMP报文的icmp_seq回应消息序列号域,PALOAD负载如果使用SNORT_INLINE版本,可以用的要素是

2、resp,就是入侵响应,可选方式:rst_snd,rst_rcv,rst_all,icmp_net,icmp_host,icmp_port,icmp_all检测签名和规则编写的时候还要主要协议特征和PAYLOAD的特征位置,比如offset:0;depth:1;这个就是说从PAYLOAD的起始位置开始,长度是1的PAYLOAD作为特征.数据报方向在NFR的NCODE里面可以这样写：Filtersample1tcp(dport:80,client)相当与从你定义的要保护的子网出去的流量.Filtersample1tcp(dport:80,server)相当与其他网络到达你定义的要保护的子网进来的

3、流量.在SNORT的规则里flow:to_server到你要定义的server的流量,flow:from_client是从客户端来的流量,flow还可以指定检测连接的状态的，比如stateless,established等在NCODE里有*.cfg文件定义的几个数据大家要认识一下：backend_id=NID-792-002num_columns=6column_1_attr=IP_ADDR_SRC#源地址column_1_type=p_src_ipcolumn_1_label=SourceAddresscolumn_2_attr=PORT_SRC#源端口column_2_type=p_src

4、_portcolumn_2_label=SourcePortcolumn_3_attr=IP_ADDR_DST#目的地址column_3_type=p_dst_ipcolumn_3_label=DestinationAddresscolumn_4_attr=PORT_DST#目的端口column_4_type=p_dst_portcolumn_4_label=DestinationPortcolumn_5_attr=REASONcolumn_5_type=p_stringcolumn_5_label=Reasoncolumn_6_attr=PAYLOAD蠟据包的DATA部分column_6_t

5、ype=p_stringcolumn_6_label=AdditionalDatagui=listtitle=PPLiveACITVEorigin=NFRdisposition=enableversion=7如果你是检测UDP协议特征，你的签名要素要这样写：IP_ADDR_SRC,ip.src,#源地址PORT_SRC,udp.sport,#UDP协议的源端口IP_ADDR_DST，ip.dst，#目的地址PORT_DST,udp.dport#UDP协议的目的端口IP_PROTO_NUM,17,#UDP协议号如果你检测的是TCP协议特征，你的签名要素要这样写：IP_ADDR_SRC,tcp.c

6、onnsrc,#TCP协议的源地址IP_ADDR_DST,tcp.conndst,#TCP协议的目的地址PORT_SRC,tcp.connsport,#TCP协议的源端口PORT_DST,tcp.conndport#TCP协议的目的端口IP_PROTO_NUM,6,#TCP协议号SNORT和NFR签名的一般写法SNORT规则写法alerttcp$HOME_NETany-$EXTERNAL_NETany(msg：BLEEDING-EDGEP2PDirectConnectTraffic(client-server);flow：from_client,established;content：$MyI

7、NFO;offset：0;depth：7;classtype：policy-violation;reference：url,/wiki/Direct_connect_file-sharing_application;sid：2002814;rev：1;)注释：检测TCP协议,从要保护的本地网络到外部网络的连接,是任意端口到任意端口,即any到any.方向flow:from_client，匹配payload里的第0位开始，长度是7,是否存在$MyINFOalerttcpanyany-any4660：4799(msg：BLEEDING-EDGEP2Ped2kfilerequestanswer;fl

8、ow：to_server,established;content：|e3|;offset：0;depth：1;content：|00000059|;offset：2;depth：4;reference：url,HYPERLINK/practical/GCIH/Ian_Gosling_GCIH.pdf/practical/GCIH/Ian_Gosling_GCIH.pdf;classtype：policy-violation;sid：2000333;rev：5;)注释：检测TCP协议,从任何网络到任何网络的连接,从任意端口到4660：4799(端口在4660到4799之间)，方向是flow

13、90,#签名报警的可信度IP_ADDR_SRC,ip.src,PORT_SRC,udp.sport,IP_ADDR_DST,ip.dst,PORT_DST,udp.dport,$temp1,$temp1,$temp2,$temp2);recordpacket.sec,ip.src,udp.sport,ip.dst,#做数据报记录的功能,#如果attack里的inhitit.values开启了record这个签名的功能#,这里就要录制数据报udp.sport,qqclientconnecttoserver,N/AtoRCDR;#detectqqrequestinfo$temp1=byte(udp

15、backend_id=NID-911-003num_columns=6column_1_attr=IP_ADDR_SRCcolumn_1_type=p_src_ipcolumn_1_label=SourceAddresscolumn_2_attr=PORT_SRCcolumn_2_type=p_src_portcolumn_2_label=SourcePortcolumn_3_attr=IP_ADDR_DSTcolumn_3_type=p_dst_ipcolumn_3_label=DestinationAddresscolumn_4_attr=PORT_DSTcolumn_4_type=p_d

17、)P2P类软件1)EMULE检测它包括UDP的特征和TCP的特征，这里就举一个UDP抓包的例子为了消除误报,可以将检测端口放到1024以上.加上过滤条件下面的图是EMULE的UDP的包1Dat3joaogGd毘或阻JOLDOC-3F200000207d35Lt!(.02iO3DjQ4Dif(substr(udp.blob,0,1)=xe4)#第一个字节是0xe4if(substr(udp.blob,1,1)=x20)|(substr(udp.blob,1,1)=x21)|#第2个字节是0x21(substr(udp.blob,1,1)=x00)|(substr(udp.blob,1,1)=

18、x10)|(substr(udp.blob,1,1)=x18)|(substr(udp.blob,1,1)=x52)|(substr(udp.blob,1,1)=x58)|(substr(udp.blob,1,1)=x59)|(substr(udp.blob,1,1)=x28)|(substr(udp.blob,1,1)=x50)|(substr(udp.blob,1,1)=x40)alert(emule_source,emule_datatransfer_alert,ip.src,udp.sport,ip.dst,udp.dport,-AlertDetails,ALERT_ID,096-02

19、2-001,ALERT_CONFIDENCE,90,ALERT_SEVERITY,low,ALERT_IMPACT,unknown,ALERT_EVENT_TYPE,probe,ALERT_ASSESSMENT,unknown,IP_PROTO_NUM,17,IP_ADDR_SRC,ip.src,PORT_SRC,udp.sport,IP_ADDR_DST,ip.dst,PORT_DST,udp.dport,ed2k,ED2KPROTOCOLDATATRANSFER2);下面举个TCP的例子90,115SS9.3171967TCP115985.4219551114AhH1：F：i5AUK三已q

20、=994Ack=8604eDonkeeMuleExtensionsTCP：unknown116089.4222077116189.4844111110.0.B.67116239.434660711638S.484669860.20.1S9.717eDonkeeMuleExteniorsTCP:unknowrieDonkeeMuleExtenslonsTCP:unknowneDonkeeDonkeyTCP:HashseTRequestTCP4557134SSYrJ.ACK5eq=0Ack=lV/11RQ.4.R4fiQ11O.O.141.1砧一”1.TCP14Rb-4SS7rAfklW戶n=1A

21、rk=1Win=fiSHeader1engrh:20bytesFlage:0x0018Qpsh,ACK)Windowsize:65267匚hecksum:0x7502carrectd-seq/ackanalysis卜eDonkeyProroGole&orikeyPr口tocol3100mo3120313001403150_y7.d325-eCJJni了o7._y25oQ-676c12f&-h-6CJCJe6-.5-dabs9od-dbcJ8p-4276rJFI-663176-.H_4s5p-_y16262-hlg&452p-2&52斗24rl-c937.6603Pirates.of.th

22、已匸aribbeanThEcurse,of.rhe.Biank_口口m.gnwkt4if(substr(tcp.blob,0,1)=xc5)#0xc5第0位if(substr(tcp.blob,5,1)=x01)|(substr(tcp.blob,5,1)=x02)|(substr(tcp.blob,5,1)=x04)|(substr(tcp.blob,5,1)=x60)|(substr(tcp.blob,5,1)=x61)|(substr(tcp.blob,5,1)=x81)|(substr(tcp.blob,5,1)=x82)|(substr(tcp.blob,5,1)=x87)|(su

23、bstr(tcp.blob,5,1)=x85)|(substr(tcp.blob,5,1)=x86)|(substr(tcp.blob,5,1)=x90)|(substr(tcp.blob,5,1)=x91)|(substr(tcp.blob,5,1)=x93)#0xc5第5位alert(emule_source,emule_extensions_alert,ip.src,udp.sport,ip.dst,udp.dport,-AlertDetails,ALERT_ID,096-022-001,ALERT_CONFIDENCE,ALERT_SEVERITY,low,ALERT_IMPACT,

24、unknown,ALERT_EVENT_TYPE,probe,ALERT_ASSESSMENT,unknown,IP_PROTO_NUM,6,IP_ADDR_SRC,ip.src,PORT_SRC,udp.sport,IP_ADDR_DST,ip.dst,PORT_DST,udp.dport,ed2k,ED2KExtensions(Emule)PROTOCOLDATATRANSFER);总结一下:关于特征,如果不是协议特征攻击方面的,就不要找PAYLOAD以外的其他元素,在PAYLOAD里找不一定都是PAYLOAD的头一个字节开始,而且特征都不是一定连续的，可能跳多少个字节才有特征,这个最好把

25、关键的包打印下来,在纸面上比较比较,暂时没有太好的工具来计算特征,所谓特征包,就是能重复出现的包,不论是一台机器上,也不论是一个网段里.2)BT检测BT的UDP特征检测ooooQo-n-4rl-67-sooooQoo日1日1T9o3_dcerj37-.-J2666Q-af19-.J257422_d4dLtl且-.-Jr6-.-J_ys4p-el6z71b63d匚rl-b_y-y1305L.OI7a-h-LrLT-_4_3且2o6Ltlp-JL|_Lnc42862p-o1p-A-e3-Ha且sa1-Js3b33If109o巧o6r-3o457-4-d16C7d33if(substr(udp.bl

26、ob,0,4)=d1:a)|(substr(udp.blob,0,4)=d1:r)#这个特#征比较明显,就是找到字符串是d1:ad2:id20:或者是d1:rd2:id20if(substr(udp.blob,4,8)=d2:id20:)alert(source_bitudp,bit_udp_datatrans_alert,ip.src,ip.dst,-AlertDetails,ALERT_ID,982-002-002,ALERT_SEVERITY,low,ALERT_IMPACT,informationgathering,ALERT_EVENT_TYPE,logging,ALERT_ASSE

27、SSMENT,unknown,IP_PROTO_NUM,17,IP_ADDR_SRC,ip.src,PORT_SRC,udp.sport,IP_ADDR_DST,ip.dst,PORT_DST,udp.dport,BTMETHOD,_9);BT的TCP特征BitTorrentAcknow!edgementnumber:49CrelativeacknumberHeader1ength:20bytes:Flags:0x0018gH,ACK)V/1ndowsize:31952checksum:0xab09correct也/PUTorreriolsx.2aC0061-NI-.-一I.c.Ir9C2

28、7-2f24Lil-74171-1JJJ7-protoc1o72op-c097,or-oo31od-.3sd67-o35so&-J3CIOc_b471-b23b24&74.3fid一；IL.P_uVI-4JsoJ-ooL-d91-oo.ebLI283o4d4r-c7-d716T942afc2Ju_t了5且o4667fab4oo了I-.Iugu-uooQoo丄_-I-4567u-uooQoo卜eeq/atkana.ly5i5if(substr($blob,1,19)=BitTorrentprotocol)#从第1个字节开#始算特征,BitTorrentprotocol是BT软件开始应用层握手的

29、信息$confidence=80;#letsIDthissucker$ind=substr($blob,(1+$hdr_len+8+20+1),2);debug:trace($ind=,$ind,$offset=,(1+$hdr_len+8+20+1);$client=BT_CLIENT_DB$ind;if($client=NULL)#XXXwait,theresmore$client=unknown;if(BT_CLIENT_DBsubstr($ind,0,1)$client=BT_CLIENT_DBsubstr($ind,0,1);总结一下:BT软件是先TCP三次握手，然后应用层握手，接下

34、0Accept:/rnuser-Agent:Mozi11a/40compatible;M5IET00;windows9Srnhost:rhemeqqcomrn匚ache-匚ontrol;门一匚a匚herncookie:pvid=5281466152;flv=S.0rnVnLclllrJooo-I.-42Voo47cno4d4677.ooAudcocl-Q6L=.-.1.-ooQCOcl-4oAu7JU6p-dAuGJ_dp-_yc212fAu7rrl了oo6Mdf4S1od2b6Qoo1b2*oo2f6aods21LTo3I713Lf匚_aoLrp4-=!-562nQ1fQIZo4b713n-

41、检测这里举个MSN传文件的例子9217.Q0272477TCP32492003PacketLength:1446bytescaptureLength:1446bytesProtocolsinframe:eth:ip:tcp:dataiTransmissionControlProtocol,5rcPort:3249(3249),DstPort:Z003E0Sourceport:3249Q249)Desrinationport:2003(20033sequencenumber:4atlwesequencenumber)Nextsequencenumber:1395(relafivesequence

42、number)Acknowledgementnumber:0(relaliveacknumber)Header1ength:20bytes:Flags:0x0018(PSH,ACK)Windowsize:64582chacksuin:0x737correctu1oooooAuoooooooo门：n-_y_dbcdp-fo1-1.-_.!-4rl-67.DataC1392bytesi:-msnin5gnreqbodyr-Lengrn.EUF-GUIO2AB-619bbb-OOgOicarion/r-sessio匸onren:989.D:i5D3E4F795683onlD:10schariri

43、q0.匸琴屮.Fla#、-”：.AppiD：ext:fgi叮MaaaaAOgsAAAEAAADOTViWd42#detectmsnfiletransferif(index($buffer,x41x70x70x49x44x3ax20x32x0dx0a)=0)$to=elem(split($buffer,rn),5);$from=elem(split($buffer,rn),6);$temp=elem(split($buffer,rn),16);$temp1=substr($temp,(strlen(context:);$temp1=substr($temp1,0,100);$filenam

44、e=debase64($temp1);alert(ims_source,msn_file_alert,$from,$to,tcp.connsrc,tcp.conndst,-AlertDetails,ALERT_ID,911-010-002,ALERT_CONFIDENCE,90,ALERT_SEVERITY,info,ALERT_IMPACT,information,ALERT_EVENT_TYPE,logging,filename,$filename,IP_ADDR_SRC,tcp.connsrc,IP_ADDR_DST,tcp.conndst,PORT_SRC,tcp.connsport,

46、rj6fc-1.4-d749.ecl-c4315o7.8Ju8ob55o2452rl-3gd92ECJo6odfoFJo9o7-dfo2-T3f_d5dIdo42cbo87-cf15b4c_yo_d6Ju4_ds64648.fobo1002000300040005000600070OOSO_d1odDatabytesj00200030004000500060007000S0F5cglQlk-s-oa8ob6d87Hoco_doo1oaclo9o23d002f00c4ebflO_y7s46f1cf4f78fo_b24co6528bH-l10b_be=!_cb6_yooaoo5ffd4of04fb

47、Q-d2f3op-37-bo匚87.7foo41bo1O4&Data(612byt也主J66203f0c347d26b3026cS69b00300040005000600070Q080if(udp.sport1024)&(udp.dport1024)if(substr(udp.blob,0,1)=xfe)if(substr(udp.blob,2,2)=x00x00)|(substr(udp.blob,2,2)=x04x04)alert(source_qqliveudpdata,qqlive_udp_datatrans_alert,ip.src,ip.dst,-AlertDetails,ALE

49、r(udp.blob,3,11)=x00x00x00x00x00x00x00x00x00x00x00)alert(source_qqliveudpdata,qqlive_udp_datatrans_alert,ip.src,ip.dst,-AlertDetails,ALERT_ID,988-002-002,ALERT_SEVERITY,info,ALERT_IMPACT,informationgathering,ALERT_EVENT_TYPE,logging,ALERT_ASSESSMENT,unknown,IP_PROTO_NUM,17,IP_ADDR_SRC,ip.s

52、e：url，HYPERLINK/advisories/CA-2001-19.html/advisories/CA-2001-19.html;classtype：web-application-attack;sid：1256;rev：8;)检测URI里是否包含/root.exe在NFR里检测还是比较合理的：KEY_IDA=14;CODERED_VARIANTS/default.idaNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

53、NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a=CodeRed;CODERED_VARIANTS/default.idaXXXX

54、XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u

55、9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a=CodeRedII;if(KEY_IDAinside$matched&strlen($uri)IISISAPI_INDEXING_BUFSIZE)if(CODERED_VARIANTS$uri)alert(www_iis_source,codered_alert,tcp.connsrc,tcp.conndst,substr(CODERED_VARIANTS$uri,0,1024),-AlertDetails,ALERT_ID,27-64,ALERT_CONFIDENCE,_:c

56、onfidence(90),ALERT_SEVERITY,high,ALERT_IMPACT,codeexecution,ALERT_EVENT_TYPE,attack,ALERT_ASSESSMENT,unknown,CONTEXT,attack:context(codered_alert),IP_PROTO_NUM,6,IP_ADDR_SRC,tcp.connsrc,PORT_SRC,tcp.connsport,IP_ADDR_DST,tcp.conndst,PORT_DST,tcp.conndport,CMD_NAME,$ci_:CLIENT_METHOD,HTTP_URL,$uri);

57、record_:CURRENT_TIME(),tcp.connsrc,tcp.connsport,tcp.conndst,tcp.conndport,CODERED_VARIANTS$uri,$uritoMYRECORDER;misc_attacks:rec(_:CURRENT_TIME(),scope(),CODERED_VARIANTS$uri,tcp.connsrc,tcp.conndst);return(1);elsealert(www_iis_source,iisindexing_alert,tcp.connsrc,tcp.conndst,strlen($uri),-AlertDet

58、ails,ALERT_ID,27-65,ALERT_CONFIDENCE,_:confidence(90),ALERT_SEVERITY,high,ALERT_IMPACT,codeexecution,ALERT_EVENT_TYPE,attack,ALERT_ASSESSMENT,unknown,CONTEXT,attack:context(iisindexing_alert),IP_PROTO_NUM,6,IP_ADDR_SRC,tcp.connsrc,PORT_SRC,tcp.connsport,IP_ADDR_DST,tcp.conndst,PORT_DST,tcp.conndport

59、,CMD_NAME,$ci_:CLIENT_METHOD,HTTP_URL,$uri);record_:CURRENT_TIME(),tcp.connsrc,tcp.connsport,tcp.conndst,tcp.conndport,IISIndexingServiceBufferOverflowAttempt,$uritoMYRECORDER;misc_attacks:rec(_:CURRENT_TIME(),scope(),IISIndexingServiceBufferOverflowAttempt,tcp.connsrc,tcp.conndst);return(1);NCODE里讲