Practical Network Signature Development for Open Source Intrusion Detection Systems Workbook BSides LV / DEF CON 25 Las Vegas, Nevada, USA 2017
PracticalNetworkSignatureDevelopmentforOpenSourceIntrusionDetectionSystems
WorkbookBSidesLV/DEFCON25LasVegas,Nevada,USA2017
©2017OpenInformationSecurityFoundationInc.Allrightsreserved.
Thispublicationisprotectedbycopyrightandpermissionmustbeobtainedfromthepublisherpriortoanyprohibitedreproduction,storageinaretrievalsystem,ortransmissioninanyformorbyanymeans,electronic,mechanical,
photocopying,recording,orlikewise.
Contact:[email protected]
TableofContents
About.............................................................................................................................1
Lab1:BasicRuleWriting................................................................................................2
Lab2:WritingSignaturesforHTTPTraffic....................................................................5
Lab3:WritingSignaturesforSSL/TLS/TOR..................................................................8
Lab4:WritingSignaturesforPhishing......................................................................11
Lab5:WritingSignaturesforRansomware.................................................................14
Lab6:WritingSignaturesforMaliciousDocuments..................................................17
Lab7:WritingSignaturesforExploitKitActivity...........................................................20
Lab8:WritingSignaturesforTargetedThreats.......................................................26
APPENDIX:A................................................................................................................29
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 1
AboutthisworkbookThisworkbookcontainsthelabswhichwillbeworkedonduringthisclass.Itisimperativetocompletetheselabstoyourbestabilitytoensureyouareunderstandingthecontentbeingtaught.Donothesitatetoaskquestionsorpresentalternativesolutionstotheclass.Thisisacollaborativeenvironmentinwhichweallshareacommongoal,andeveryoneisheretolearn—eventheinstructors.Thatbeingsaid,alllabmaterialsarecontainedontheVirtualMachinedistributedatthebeginningoftheclass.Thelabsarebrokendownbylabinthe~/Labs/directory.Additionally,theVMwillcontainthetoolsrequiredforthelabs.IfyouaretohaveanyissuesusingthelabVMortheexercisematerials,informtheinstructorsimmediatelysoitmaybecorrected.Wehavestructuredtheexercisesinawaytoallowstudentstoanswerquestionsinvariouslevelsofdifficulty.Ifyouareconfidentinyourskills,trytowritesignaturesforthetrafficwithouthints.Ifyouneedsomehelpfulhints,thefollowingpageswillcontainverboseinstructionsandhintstohelpguideyouinyourrulewritingefforts.Ifyouenjoyedthecontentinthisclass,butwantmore,weofferaprivate/public(atconferences)multi-daycoursecoveringmuchmorein-depthandadvancedrulefeatures,tactics,andadvancedhandsonlabstotakerulewritingandanalysisabilitiestothenextlevel.Pleasedonothesitatetoreachouttousbelowifthisinterestsyou!Step1:Learnhowtowriteincrediblesigsthatdon’tnukeyoursensorsStep2:DeploysigsintargetenvironmentsStep3:PunchbadguysStep4:????Step5:Profit!Questionsaftertheclass?Contact:[email protected]@[email protected]
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 2
Lab1:BasicRuleWriting
Aftergoingoversomeofthefoundationalandcommonlyusedsignaturefeatures,wearereadytostartfromscratchtocreateourownsignatures.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/DDoSClient.pcapDDoSClient.pcap________________________________________________________________________
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 3
Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents”;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)DDoSClient.pcapLookatframe8fortheCnCbeacon,andfocusonusingcontentthatwon’tchangebetweeninfectedmachines—also,thismalwareonlytargetsWindowsmachines.________________________________________________________________________
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 4
Lab1:BasicRuleWritingAnswersDDoSClient.pcapalerttcp$HOME_NETany->$EXTERNAL_NET1024:65535(msg:"OISFTROJANWin32.ChinaZ.DDoSClientCheckin";flow:established,to_server;content:"Windows";depth:8;content:"|20|MHZ|00|";fast_pattern;distance:0;content:"|00|Win";distance:0;content:"|00|";distance:2;within:2;reference:md5,8643a44febdf73159b2d5c437dc40cd3;classtype:trojan-activity;sid:10000002;rev:1;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 5
Lab2:WritingSignaturesforHTTPTraffic
Asdiscussed,alotofsignaturesrelatetoHTTPtrafficandthehttp_*keywords.Inthislab,wewillexaminesomeHTTPtrafficandutilizeourhttp_*keywordstoperformadequatedetection.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Ursnif.pcapUrsnif.pcap
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 6
Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)Ursnif.pcapalert____$HOME_NET____->$EXTERNAL_NET____(msg:"OISFTROJANUrsnifCnCActivity";flow:__________________;urilen:>____;content:"________";depth:___;http____;content:"____";http____;content:"____";http____;content:"___________________________________________";depth:____;http_header;content:!"Accept";http________;content:!"Cookie|3a|";content:!"Referer|3a|";http___________;classtype:trojan-activity;sid:10000001;rev:1;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 7
Lab2:WritingSignaturesforHTTPTrafficAnswersUrsnif.pcapalerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANUrsnifCnCActivity";flow:established,to_server;urilen:>125;content:"/images/";depth:8;http_uri;content:"_2F";http_uri;content:"_2B";http_uri;content:"User-Agent|3a20|Mozilla/4.0(compatible|3b|MSIE8.0|3b|WindowsNT";depth:57;http_header;content:!"Accept";http_header;content:!"Cookie|3a|";content:!"Referer|3a|";http_header;classtype:trojan-activity;sid:10000001;rev:1;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 8
Lab3:WritingSignaturesforSSL/TLS/TOR
ThislabwillhaveyoufocusonSSL/TLStraffic,andadequatelywritingasignaturetomatchoncertificatesinvariousways.UsingthePCAPavailable,writesignature(s)todetectonthemalicioustraffic.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Zeus.pcapZeus.pcap________________________________________________________________________
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 9
Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alert(tls|tcp)$EXTERNAL_NET443->$HOME_NETany(msg:"OISFCATEGORYObservedMaliciousSSLCert(MalwareName/Activity)";flow:established:from_server;content"|550403|";content:"|<DecimallengthofdomainnameinHex>|DomainName|2e|com";distance:1;within:<Lengthofbyte+domain>;classtype:trojan-activity;sid:100000000;rev:1;)Zeus.pcapBreakopentheSSLcertificateinWiresharkandexaminetheSerialNumber.Usethishexinyoursignature.LooktosigontheOUfield(|55040a|)relativetotheserialwiththeappropriatemodifiersfordistanceandwithin.
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 10
Lab4:WritingSignaturesforSSL/TLS/TORAnswers
Zeus.pcapalerttls$EXTERNAL_NET443->$HOME_NETany(msg:"OISFTROJANABUSE.CHSSLBlacklistMaliciousSSLcertificatedetected";flow:established,to_client;content:"|16|";content:"|0b|";within:8;content:"|0900e67b404f24b82af9|";distance:0;content:"|55040a|";distance:0;content:"|18|InternetWidgitsPtyLtd";distance:1;within:25;reference:url,sslbl.abuse.ch;classtype:trojan-activity;sid:10000001;rev:1;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 11
Lab4:WritingSignaturesforPhishing
ThislabwillhaveyoufocusontrafficrelatedtoPhishingwhichisbrokenintomultipleparts—alandingpage,successfulphish,etc.Wewillexaminemultipleexamplesinwhichsignaturesmaybewrittentodetectvariousstagesoftheaphish.Thisisimportant,becauseananalystwillknowhowtoreactdependingonwhattrafficyoucomeacross.UsingthePCAPavailable,writesignaturestodetectonthemalicioustraffic.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Adobe.pcapAdobe.pcapAuserreceivedanemailcontainingaPDFattachmentwithalinktoviewshareddocuments.Writesignaturestodetectthephishingattackchain.
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 12
Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)Adobe.pcapAuserreceivedanemailcontainingaPDFattachmentwithalinktoviewshareddocuments.Writesignaturestodetectthephishingattackchain.First,wewanttodetectthetrickybehaviorthisJavaScriptisupto.Setupyoursignatutelookingattheinbound(from_server)data.Ensurealegithttp_stat_codeispresent,aswellassomecommonheadersforaresponsecontaininghtmlbeforeusingfile_datatoexaminetheactualresponsebody.Lookingathowthepageisrefreshedisstepone.WritethisfirstsignaturefocusingontherefreshmechanismusingsomeofthestaticcontentmatchesfromtheJavaScriptaswellasusingPCREtoaidinthis.Second,thereisasuspiciousdecryptionofaBase64blobevidentinthepageresponse.Basedonthis,wecouldwriteageneric(INFO)signaturetofocusonthissuspiciousbehavior.WritetwosignaturesbasedonthissuspiciousAESdecryptfunctionbyagain,ensuringvariablesensurethiscontentisfoundinthepageresponse.Then,usestaticmatchesintheJavaScriptandmorePCREtoaccountforvariations.Finally,writeasignaturetodetectthesuccessfultransmissionofcredentialstothebadguyserverusingstandardHTTPsignaturecontentsandkeywords.
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 13
Lab4:WritingSignaturesforPhishingAnswers
1.Adobe.pcapalerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSSuspiciousCompoundRefresh-PossiblePhishingRedirect";flow:from_server,established;content:"200";http_stat_code;content:"Content-Type|3a20|text/html";http_header;file_data;content:"<metaHTTP-Equiv=";nocase;content:"refresh";nocase;distance:1;within:8;content:"content=";nocase;distance:0;content:"URL=";nocase;distance:0;within:10;content:"text/javascript";nocase;distance:0;content:"self.location.replace";fast_pattern;nocase;distance:0;content:"window.location";nocase;distance:0;within:30;classtype:trojan-activity;sid:10000001;rev:1;)alerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSAESCryptoObservedinJavascript-PossiblePhishingLanding";flow:established,from_server;file_data;content:"hea2p";distance:0;nocase;content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz";fast_pattern:40,20;distance:0;content:"hea2t";distance:0;nocase;content:"Aes";nocase;distance:0;pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi";classtype:trojan-activity;sid:02;rev:3;)alerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSAESCryptoObservedinJavascript-PossiblePhishingLandingDec28M1";flow:established,from_server;content:"200";http_stat_code;content:"Content-Type|3a20|text/html";http_header;file_data;content:"Aes.Ctr.decrypt";nocase;fast_pattern;pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?256\s*?\)/Rsi";classtype:trojan-activity;sid:03;rev:3;)alerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFCURRENT_EVENTSSuccessfulAdobeOnlinePhish";flow:to_server,established;content:"POST";http_method;content:".php";http_uri;content:"feedback=";nocase;depth:9;http_client_body;fast_pattern;content:"&feedbacknow=";nocase;distance:0;http_client_body;pcre:"/\.php$/U";classtype:trojan-activity;sid:04;rev:1;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 14
Lab5:WritingSignaturesforRansomware
ThislabwillhaveyouexamineCerberransomwarewhichhavebeenobservedlatelyinmasscampaigns.Pleasefollowalongwiththequestionsandcompletetothebestofyourability.Remembertoaskquestionsorconsultthehintsifyougetstuck.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Cerber.pcapCerber.pcap1.WhatisthefirstHTTPRequestbeingmadehere?Whywouldthistakeplace?________________________________________________________________________2.Examinetherequestsinframes9-531.Identifywhatishappeninghere.________________________________________________________________________5.Whatshouldbesig'dwiththemostpriority?Least?________________________________________________________________________6.WriteasignaturetodetecttheCnCrequests7.WriteasignaturetodetecttheExternalIPAddressCheck
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 15
Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)Cerber.pcapThereisalotofstrangeactivityhappeninginthisone,comparedtootherransomwaretrafficweobserve.Firstoffistheprotocol—takenotofthis.Whileexaminingtheserequests,itappearsthereisafixedsizeofthepacket(tcp.len),whichwouldbeuseful.Furthermore,itappearssomeofthecontentinthesepacketsremainthesame,whereasotherpartschange—perhapsaPCREanchoredwouldbebest?Lastly,thereisalotofactivity,sothisrulemightfirealot.Wecanincorporateathresholdtosubsidethenumberofalertsbeinggenerated.
FortheIPCheck,wecanbeprettyspecific,asweknowthisisalegitservicethatprobablyisn’tgoingtobechangingoften,andwewanttoonlyfireonthisspecificIPcheckactivity.Thatbeingsaid,becarefulaboutwhatcategorythisrequestisplacedin.
________________________________________________________________________
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 16
Lab5:WritingSignaturesforRansomwareAnswers
CerberRansomware1.WhatisthefirstHTTPRequestbeingmadehere?Whywouldthistakeplace?ThisisaGETrequesttoadomainthatwillreturnthevictimmachinesCountry,CountryCode,ExternalIPAddress,andASN.ThiscouldtakeplacesotheattackercanidentifyvictimsbasedongeolocationaswellascollecttheIPAddressofthevictimmachine.2.Examinetherequestsinframes9-531.Identifywhatishappeninghere.ThisistheCerberCnCmechanisms.UDPPacketsscanninganIPrangewhichwillhopefullyhitanactiveCnCserver.5.Whatshouldbesig'dwiththemostpriority?Least?CnCCheckin1/2,ExternalIPCheck6.WriteasignaturetodetecttheCnCrequestsalertudp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANRansomware/CerberCheckin2";dsize:9;content:"hi";depth:2;fast_pattern;pcre:"/^[a-f0-9]{7}$/R";threshold:typeboth,trackby_src,count1,seconds60;reference:md5,ac4d7fb5739862e9914556ed5d50f84f;classtype:trojan-activity;sid:2816763;rev:4;)7.WriteasignaturetodetecttheExternalIPAddressCheckalerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANPossibleCerberRansomwareIPCheck";flow:to_server,established;urilen:5;content:"GET";http_method;content:"/json";http_uri;content:"Host|3a20|ipinfo.io";fast_pattern;http_header;content:"GET/jsonHTTP/1.1|0d0a|Host|3a20|ipinfo.io|0d0a0d0a|";depth:39;isdataat:!1,relative;threshold:typethreshold,trackby_src,count2,seconds50;classtype:trojan-activity;sid:2816506;rev:1;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 17
Lab6:MaliciousDocuments
Thislabwillhaveyouanalyzeacommonlyobservedthreattomanyenterprises:themaliciousdocument.Typically,maliciousOfficedocumentsrelyonmacroexecution,embeddedobjects,orexploitstodeliverapayloadontothevictimmachine.Pleasefollowalongwiththequestionsandcompletetothebestofyourability.Remembertoaskquestionsorconsultthehintsifyougetstuck.Yourjobistofirst,identifytheeventsinthePCAPsrecoveredandwriteIDSalertsfortheobservedtraffictodetectitinthefuture.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Maldoc.pcapMaldoc.pcap1.List3interestingbehaviorsoftheMalDocrequest:________________________________________________________________________2.Whataspectsofthisrequestcouldchange?Why?________________________________________________________________________3.Whyisitimportanttodetectthisrequest,asopposedtojustasigcapturingthedownloadedexecutable?________________________________________________________________________4.WriteasignaturetodetecttheMalDocrequest:________________________________________________________________________
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 18
Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)Maldoc.pcapWithmanymaliciousdocuments,thepayloadscanbemovingtargets,soitisimportanttoincludeadatetoreferencewhenthesignaturewascreated.Thatbeingsaid,theURIhasanimportantextensionandvariablethatwouldbeasolidcontent.Furthermore,theUser-Agentiscertainlyunlikemostnormalbrowserrequestsandshouldbeconsidered.Negationsarealsoimportanthere,soastonotconfusethetrafficwithnormalbehavior.Lastly,aPCREcouldbeusefulintheURIbuffer.
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 19
Lab6:MaliciousDocumentsAnswers
MalDoc1.List3interestingbehaviorsoftheMalDocrequest:HTTPRequestMethod,User-Agent,URIparameters2.Whataspectsofthisrequestcouldchange?Why?Requestmethod,User-Agent.Thesecouldchangebasedonthemacrobeingused(BITSvssystemwebrequest,etc).3.Whyisitimportanttodetectthisrequest,asopposedtojustasigcapturingthedownloadedexecutable?Thesetypesofrequestsareimportant,astheyindicatethesourceofthefollow-upexecutable.Additionally,itservesasanotificationthataMalDoc4.Whatkindofinformationshouldyouincludeinthemsgforathreatlikethis?MalDocActivity,Date4.WriteasignaturetodetecttheMalDocrequest:alerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFCURRENT_EVENTSMalDocRetrievingPayloadMay232017";flow:established,to_server;content:".exe?q=";http_uri;content:"User-Agent|3a20|MicrosoftBITS/";fast_pattern:7,20;http_header;content:!"Referer|3a|";http_header;pcre:"/(?:\/ttt\/)?\/[a-z0-9]{3,15}\.exe\?q=[0-9]{1,5}$/Ui";reference:md5,5fa40bfb5a83e473e278d835202087d9;classtype:trojan-activity;sid:100000034;rev:1;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 20
Lab7:WritingSignaturesforExploitKitActivity
AcomputerhasbeenimpactedbyNeutrinoExploitKitwhichdeliveredaransomware.ReviewtheassociatedPCAPandanswerthefollowingquestions.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Neutrino.pcapNeutrino.pcap1.Pleaseidentifyhowtheuserendedupreachingtheexploitkit________________________________________________________________________2.WhatistheURIoftheexploitkitlandingpage?________________________________________________________________________3.WhichframecontainstheGETrequestresultinginthepayloadbeingdelivered?________________________________________________________________________4.Whattypeofexploitappearstohavebeenused/successfulinthisattack?________________________________________________________________________5.Whatisthemd5hashandfilenameoftheFlashfileusedintheexploit?________________________________________________________________________6.Writeasignaturetodetecttheiframeredirect
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 21
7.WriteasignaturetodetecttheEKLandingpagecontents.(Hint:sigtheserverresponsebodyandsetaflowbit)8.WriteasignaturetodetecttheFlashexploit9.Writetwosignatures:onetosetaflowbitontheoutboundpayloadviaGETrequestandonethatfiresonthepayloaddeliveryfromtheserver10.Canyouidentifythepayload?(Hint:itisransomware…)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 22
Withsomehelpfulhints:6.Writingasignaturetodetecttheiframeredirectwillrequiresiggingthestaticcontentsoftheiframe,butbeingmindfulofthingslikespacesandcharactersthatcouldbevariablebetweensamples.Inthiscase,itwouldbeimportanttofindsomeanomalousbehaviorsoftheiframe,anduseaPCREtocapturethestructureasawhole,againbeingcognizantofspacesorcharacters.7.WriteasignaturetodetecttheEKLandingpagecontents.Inthiscasewewillwanttokeyinheavilyontheserverresponsebody.Thereisquiteabitgoingon,sofocusonaversionnumberthatcanbefoundthere,andwellastheanomalousflashfunction.APCREisabsolutelynecessaryhere.8.WriteasignaturetodetecttheFlashexploit.Again,wewillwanttosigtheserverresponsehere.Becausewearelookingforflash,sigtheflashheader(butnottheversion).Wecanthenutilize2PCREstosigonceontheURIstructure,andanothertosignatureonsomeoftheheaders—importantlyRefererandHosthavingthesamevalue(canusePCREcapturevariable?P).9.Writetwosignatures:onetosetaflowbitontheoutboundpayloadviaGETrequestandonethatfiresonthepayloaddeliveryfromtheserver.Forthefirstsig,wewillwriteontheoutboundrequest.Thiswillbeheavilynegatedfromaheaderperspective.WewillwanttowriteaPCREstartingintheUser-Agentfield,andensuringthat‘MSIE’isincluded.WewillwriteasecondPCREtocapturetheURIstructure.Setaflowbit,butwealsodon’twantittoalert.Forthesecondsignature,itwillbefocusingontheserverreply.Obviouslywearelookingforindicatorsintheheaderthatanexecutablepayloadisbeingdownloaded.Utilizetheflowbitwehadjustsetontherequest.Makesomenegationsforcommonfilemagicheaders.APCREonthecontentlengthisagoodchecktoensureitisalargernumberofbytes.
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 23
Lab7:WritingSignaturesforExploitKitActivityAnswers1.PleaseidentifyhowtheuserendedupreachingtheexploitkitAuservisitedacompromisedwebsitewhichcontainedaniframepointingtheusertotheexploitkitlandingpage.2.WhatistheURIoftheexploitkitlandingpage?/slay/a2V2anl3cg3.WhichframecontainstheGETrequestresultinginthepayloadbeingdelivered?1684.Whattypeofexploitappearstohavebeenused/successfulinthisattack?Flash5.Whatisthemd5hashandfilenameoftheFlashfileusedintheexploit?MD5(himself-smell-borrow-32786091.swf)=4b277d7ec974400e2115219b29b27f2a6.Writeasignaturetodetecttheiframeredirectalerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSEvilRedirectorLeadingtoEKJul122016";flow:established,from_server;file_data;content:"|3c7370616e207374796c653d22706f736974696f6e3a6162736f6c7574653b20746f703a2d31|";pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>\s*?>iframesrc=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]>>\/iframe>\s*\n\s*>\/span>/Rsi";classtype:trojan-activity;sid:10000000;rev:2;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 24
7.WriteasignaturetodetecttheEKLandingpagecontents.(Hint:sigtheserverresponsebodyandsetaflowbit)alerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSJob314/NeutrinoRebootEKLandingJuly072016M1";flow:established,from_server;content:"Server|3a20|nginx";http_header;content:!"Cookie|3a20|";file_data;content:"#version=10,1,52,0";content:"always";content:"sameDomain";content:"allowScriptAccess";fast_pattern:only;content:"<object";pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R";flowbits:set,ET.Neutrino;classtype:trojan-activity;sid:100000000;rev:1;)8.WriteasignaturetodetecttheFlashexploitalerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFCURRENT_EVENTSPossibleJob314/NeutrinoRebootEKFlashExploitJan072015M2";flow:established,to_server;content:"x-flash-version|3a|";http_header;fast_pattern;content:!"|0d0a|Cookie|3a|";pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U";pcre:"/Referer\x3a\x20http\x3a\x2f\x2f(?P<host>[^\r\n\x3a\x2f]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=host)(?:\x3a\d{1,5})?\r\n/Hsi";flowbits:set,ET.Neutrino;classtype:trojan-activity;sid:10000000;rev:3;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 25
9.Writetwosignatures:onetosetaflowbitontheoutboundpayloadviaGETrequestandonethatfiresonthepayloaddeliveryfromtheserveralerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFCURRENT_EVENTSPossibleNuclearEKPayloadDec062015M2";flow:to_server,established;content:"Accept|3a20|*/*|0d0a|User-Agent|3a20|";http_header;fast_pattern;content:!"Accept-";http_header;content:!"Referer";http_header;content:!"Cookie|3a|";pcre:"/^User-Agent\x3a\x20[^\r\n]+(MSIE|rv\x3a11\.0|Edge\/)[^\r\n]+\r\nHost\x3a/Hm";pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U";flowbits:set,Neutrino.EK.Payload;flowbits:noalert;classtype:trojan-activity;sid:10000000;rev:1;)alerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSNeutrinoEKPayloadJuly082016M1";flow:to_client,established;flowbits:isset,Neutrino.EK.Payload;content:"Content-Type|3a20|application/octet-stream|0d0a|";http_header;fast_pattern:20,20;content:"Server|3a20|nginx";http_header;content:"ETag|3a|";http_header;pcre:"/^Content-Length\x3a\x20(?:[2-9]\d{4,6}|1\d{5,6})\r?$/Hm";file_data;content:!"MZ";within:2;content:!"PK";within:2;content:!"GIF";within:3;content:!"|FFD8FF|";within:3;content:!"CWS";within:3;content:!"ZWS";within:3;isdataat:4,relative;classtype:trojan-activity;sid:10000001;rev:1;)10.Canyouidentifythepayload?(Hint:itisransomware…)CryptXXX
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 26
Lab8:WritingSignaturesforTargetedThreats
Targetedthreatscancomeinmanyforms,andcanbedifficulttodetect.Inthisexercise,wewillexamineanAPTanditsassociatedtraffictoinvestigateandwritesigstodetect.APT/targetedthreatscanemployallthevarioustechniqueswehavepreviouslydiscussed:SSL/TLS,TOR,P2P,DNS,HTTP,andCustomProtocols,thusmakingthemauniqueexperiencetodetect.UsingthePCAPavailable,writesignaturestodetectonthemalicioustraffic.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Patchwork.pcapPatchwork.pcapAfterplugginginsomeIOCsfromablog,youfindatargetedthreatonyournetwork.WritesignaturesfortheCnCbeacon,FileExfiltration,andSSLcertificate.
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 27
Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)alert(tls|tcp)$EXTERNAL_NET443->$HOME_NETany(msg:"OISFCATEGORYObservedMaliciousSSLCert(MalwareName/Activity)";flow:established:from_server;content"|550403|";content:"|<DecimallengthofdomainnameinHex>|DomainName|2e|com";distance:1;within:<Lengthofbyte+domain>;classtype:trojan-activity;sid:100000000;rev:1;)Patchwork.pcapAfterplugginginsomeIOCsfromablog,youfindatargetedthreatonyournetwork.WritesignaturesfortheCnCbeacon,FileExfiltration,andSSLcertificate.TheCnCBeaconhereisfairlystraightforward.StartbyexaminingtheHTTPPOST.AfewthingsstickoutintheURI—someencodingandaphpfile.Furthermore,someoftheheadersarestrange:besuretonegatenormalheaderswhichshouldexistbutarenotpresent.ThevariableinthecontentbodywhichisPOSTedisveryuniqueandwouldmakeforagoodfast_pattern.Takeadvantageofdepthhereaswell.FileexfiltrationappearstobeusingthesametypeofURIandheaderstructure.Themaindifferenceappearstobeinthehttp_client_bodyinwhichyoushouldbeabletopickoutsomenoteworthydetailstomatchon.FurthermorechecktheURIforsomeencodingwhichaPCREcouldhelpwith.Lastly,theSSLcertshouldberecognizableandtheCNshouldbeeasilysig’dlikewediscussedintheSSL/TLSsection.
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 28
Lab8:WritingSignaturesforTargetedThreatsAnswersPatchwork.pcapalerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANTargetedAutoItFileStealer/DownloaderCnCBeacon";flow:established,to_server;content:"POST";http_method;content:".php?profile=";http_uri;content:"ddager=";depth:7;http_client_body;fast_pattern;content:"&r1=";distance:0;http_client_body;content:!"Accept";http_header;content:!"Referer|3a|";http_header;classtype:trojan-activity;sid:10000006;rev:1;)alerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANTargetedAutoItFileStealer/DownloaderExfiltratingFile";flow:established,to_server;content:".php?profile=";http_uri;fast_pattern:only;content:"POST";http_method;content:"name=|22|filename|22|";http_client_body;content:"0x";distance:0;http_client_body;content:!"Referer|3a|";http_header;pcre:”/\.php\?profile=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U";classtype:trojan-activity;sid:10000007;rev:1;)alerttls$EXTERNAL_NETany->$HOME_NETany(msg:"OISFTROJANPatchworkAPTSSLCert";flow:established,from_server;content:"|550403|";content:"|08|toigetgf";distance:1;within:9;classtype:trojan-activity;sid:10000008;rev:1;)
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 29
APPENDIX:AQuickReferenceGuidefor
SignatureDevelopment
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 30
PCREBasicsCharacter Definition Example
. Matchanycharacterexceptnewline pcre:”/this.could.be.anything/”; [] Groupingcharactersets pcre:”/[a-f0-9]/”; (?:) Non-capturegroup pcre:”/(?:....)0101/”; * Match0ormoreoftheprecedingitem pcre:”/[a-f]*[A-F]/”; + Match1ormoreoftheprecedingitem pcre:”/[a-f]+[A-F]/”; ? Theprecedingitemisoptionaltocontinuematching pcre:”/[a-f0-9]?secret/”;
{}Indicatesanumberoftheprecedingitemmustbe
matched
pcre:”/[a-f0-9]{32}/”; pcre:”/[0-9]{,2}/”;
pcre:”/[0-9]{10,}/”; pcre:”/[0-9]{8,10}/”;
| IndicatesaBoolean“or”operand pcre:”/[a-f0-9]{16}|[a-f0-9]{24}/”; ^ Anchortothebeginning pcre:”/^[a-z0-9]cyberwat/”; $ Anchortotheend pcre:”/end[a-z0-9]here$/”; \ Usedtoescapespecialcharacters pcre:”/^window\.location/”; \x Denotesahexcharacter pcre:”/HTTP\s1\.[0-9]\x0d\x0a/”; \s Whitespacecharacter pcre:”/^window\s*\.\s*location/”; \r\n CarriageReturnNewLine pcre:”/[^\r\n]+USA.+\r\n/”; \d Digit/Numeral pcre:”/\d{1,3}\./”; \D NOTdigit/numeral pcre:”/(?:[A-Z])\w+\D/”; \w Wordcharacter pcre:”/[0-9]{7}\w{10}/”; \W NOTwordcharacter pcre:”/[0-9]{7}\W{10}/”;
(?=) Positivelookahead pcre:”/ foo(?=bar)/”; (?!) Negativelookahead pcre:”/foo(?!bar)/”;
[^] Negatecharactersincharacterset pcre:”/foo[^\r\n]bar/”;
Flag Buffer PCRETestWebsitesH http_header https://www.debuggex.com/U http_uri http://www.regexr.com/P http_client_body https://regex101.com/C http_cookie http://www.regexpal.com/V http_user_agent i MakesPCREcase-insensitive TIPSTOREMEMBERFOREFFICIENCY:
m Makesselectionmulti-line • AlwaystrytoincludeatleastONEanchorinaPCRE
s Aperiod(.)matchesnewline • Usenon-capturinggroups(?:)asoftenaspossible
R MakesPCRERelative(distance:0;)tolastcontentmatch
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 31
PCREContinuedUsefulPCRE’s
Base64 pcre:”/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/”;
IPv4Address pcre:”/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/”;PercentEncodedB64
pcre:”/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})/”;
Headers(Suri) pcre:”/^Host\x3a\x20[^\r\n]+User-Agent\x3a\x20[^\r\n]+\r\n(?:\r\n)?/Hmi”;MACAddress pcre:”/^[A-F0-9]{8}$/”;UUID pcre:”/^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$/”;GenericPHP pcre:”/\.php$/U”;Hexadecimal pcre:”/[A-F0-9]/”;PrintableASCII pcre:”/[\x20-\x7e]+$/”;HexBasics
Usage CommonlyUsedHexCharactersUsingLiteralHexCharactersinPCRE:
• Place\xbeforethehexcharacter• pcre:”/\x3a\x20\x22/”;
UsageofHexinIDSSignatures:
• Mustplacehexcharactersbetweenpipes(|)o content:”|7468697320697320686578|”;o content:”User-Agent|3a20|Mozilla|0d0a|”;
|3a| \x3a : Colon|22| \x22 “ DoubleQuote|27| \x27 ‘ SingleQuote|20| \x20 Space|3b| \x3b ; Semi-Colon|7c| \x7c | Pipe|28| \x28 ( LeftParenthesis|29| \x29 ) RightParenthesis|0d| \x0d \r CarriageReturn|0a| \x0a \n New-LineFeed
PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 32
SignatureBasics
alertproto$HOME_NETany->$EXTERNAL_NETany(msg:”TRAININGSampleSig”;content:”something”;depth:9;fast_pattern;content:”something|20|else”;distance:1;within:14;
pcre:”/^something.+something\x20else$/i”;sid:1;rev:1)
Action Protocol Ports HTTPKeywords
alert tcp SinglePort:• 80 http_method; GET,POST,HEAD,etc.
drop udp MultiplePorts:• [80,443,8080] http_uri; URIstring
reject icmp PortRange:• [80:90] http_header; Headerfields(minusCookie)
httpNegation:
• !80• !$HTTP_PORTS
http_user_agentCapturesfieldafterUser-
Agent|3a20|andbefore|0d0a|
tls IPRange:• 10.0.0.0/24 http_client_body; BodyofHTTPrequest
ip SingleIP:• 192.168.2.36 http_cookie; CapturesfieldafterCookie|3a
20|andbefore|0d0a|
file_data; HTTPresponsebody,affectsallcontentafterkeywordisused