Practical Network Signature Development for Open Source ... CON 25/DEF CON 25... · Practical Network Signature Development For Open Source IDS – Workbook 11 Lab 4: Writing Signatures

PracticalNetworkSignatureDevelopmentforOpenSourceIntrusionDetectionSystems

WorkbookBSidesLV/DEFCON25LasVegas,Nevada,USA2017

©2017OpenInformationSecurityFoundationInc.Allrightsreserved.

Thispublicationisprotectedbycopyrightandpermissionmustbeobtainedfromthepublisherpriortoanyprohibitedreproduction,storageinaretrievalsystem,ortransmissioninanyformorbyanymeans,electronic,mechanical,

photocopying,recording,orlikewise.

Contact:[email protected]

TableofContents

About.............................................................................................................................1

Lab1:BasicRuleWriting................................................................................................2

Lab2:WritingSignaturesforHTTPTraffic....................................................................5

Lab3:WritingSignaturesforSSL/TLS/TOR..................................................................8

Lab4:WritingSignaturesforPhishing......................................................................11

Lab5:WritingSignaturesforRansomware.................................................................14

Lab6:WritingSignaturesforMaliciousDocuments..................................................17

Lab7:WritingSignaturesforExploitKitActivity...........................................................20

Lab8:WritingSignaturesforTargetedThreats.......................................................26

APPENDIX:A................................................................................................................29

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 1

AboutthisworkbookThisworkbookcontainsthelabswhichwillbeworkedonduringthisclass.Itisimperativetocompletetheselabstoyourbestabilitytoensureyouareunderstandingthecontentbeingtaught.Donothesitatetoaskquestionsorpresentalternativesolutionstotheclass.Thisisacollaborativeenvironmentinwhichweallshareacommongoal,andeveryoneisheretolearn—eventheinstructors.Thatbeingsaid,alllabmaterialsarecontainedontheVirtualMachinedistributedatthebeginningoftheclass.Thelabsarebrokendownbylabinthe~/Labs/directory.Additionally,theVMwillcontainthetoolsrequiredforthelabs.IfyouaretohaveanyissuesusingthelabVMortheexercisematerials,informtheinstructorsimmediatelysoitmaybecorrected.Wehavestructuredtheexercisesinawaytoallowstudentstoanswerquestionsinvariouslevelsofdifficulty.Ifyouareconfidentinyourskills,trytowritesignaturesforthetrafficwithouthints.Ifyouneedsomehelpfulhints,thefollowingpageswillcontainverboseinstructionsandhintstohelpguideyouinyourrulewritingefforts.Ifyouenjoyedthecontentinthisclass,butwantmore,weofferaprivate/public(atconferences)multi-daycoursecoveringmuchmorein-depthandadvancedrulefeatures,tactics,andadvancedhandsonlabstotakerulewritingandanalysisabilitiestothenextlevel.Pleasedonothesitatetoreachouttousbelowifthisinterestsyou!Step1:Learnhowtowriteincrediblesigsthatdon’tnukeyoursensorsStep2:DeploysigsintargetenvironmentsStep3:PunchbadguysStep4:????Step5:Profit!Questionsaftertheclass?Contact:[email protected]@[email protected]

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 2

Lab1:BasicRuleWriting

Aftergoingoversomeofthefoundationalandcommonlyusedsignaturefeatures,wearereadytostartfromscratchtocreateourownsignatures.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/DDoSClient.pcapDDoSClient.pcap________________________________________________________________________

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 3

Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents”;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)DDoSClient.pcapLookatframe8fortheCnCbeacon,andfocusonusingcontentthatwon’tchangebetweeninfectedmachines—also,thismalwareonlytargetsWindowsmachines.________________________________________________________________________

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 4

Lab1:BasicRuleWritingAnswersDDoSClient.pcapalerttcp$HOME_NETany->$EXTERNAL_NET1024:65535(msg:"OISFTROJANWin32.ChinaZ.DDoSClientCheckin";flow:established,to_server;content:"Windows";depth:8;content:"|20|MHZ|00|";fast_pattern;distance:0;content:"|00|Win";distance:0;content:"|00|";distance:2;within:2;reference:md5,8643a44febdf73159b2d5c437dc40cd3;classtype:trojan-activity;sid:10000002;rev:1;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 5

Lab2:WritingSignaturesforHTTPTraffic

Asdiscussed,alotofsignaturesrelatetoHTTPtrafficandthehttp_*keywords.Inthislab,wewillexaminesomeHTTPtrafficandutilizeourhttp_*keywordstoperformadequatedetection.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Ursnif.pcapUrsnif.pcap

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 6

Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)Ursnif.pcapalert____$HOME_NET____->$EXTERNAL_NET____(msg:"OISFTROJANUrsnifCnCActivity";flow:__________________;urilen:>____;content:"________";depth:___;http____;content:"____";http____;content:"____";http____;content:"___________________________________________";depth:____;http_header;content:!"Accept";http________;content:!"Cookie|3a|";content:!"Referer|3a|";http___________;classtype:trojan-activity;sid:10000001;rev:1;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 7

Lab2:WritingSignaturesforHTTPTrafficAnswersUrsnif.pcapalerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANUrsnifCnCActivity";flow:established,to_server;urilen:>125;content:"/images/";depth:8;http_uri;content:"_2F";http_uri;content:"_2B";http_uri;content:"User-Agent|3a20|Mozilla/4.0(compatible|3b|MSIE8.0|3b|WindowsNT";depth:57;http_header;content:!"Accept";http_header;content:!"Cookie|3a|";content:!"Referer|3a|";http_header;classtype:trojan-activity;sid:10000001;rev:1;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 8

Lab3:WritingSignaturesforSSL/TLS/TOR

ThislabwillhaveyoufocusonSSL/TLStraffic,andadequatelywritingasignaturetomatchoncertificatesinvariousways.UsingthePCAPavailable,writesignature(s)todetectonthemalicioustraffic.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Zeus.pcapZeus.pcap________________________________________________________________________

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 9

Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alert(tls|tcp)$EXTERNAL_NET443->$HOME_NETany(msg:"OISFCATEGORYObservedMaliciousSSLCert(MalwareName/Activity)";flow:established:from_server;content"|550403|";content:"|<DecimallengthofdomainnameinHex>|DomainName|2e|com";distance:1;within:<Lengthofbyte+domain>;classtype:trojan-activity;sid:100000000;rev:1;)Zeus.pcapBreakopentheSSLcertificateinWiresharkandexaminetheSerialNumber.Usethishexinyoursignature.LooktosigontheOUfield(|55040a|)relativetotheserialwiththeappropriatemodifiersfordistanceandwithin.

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 10

Lab4:WritingSignaturesforSSL/TLS/TORAnswers

Zeus.pcapalerttls$EXTERNAL_NET443->$HOME_NETany(msg:"OISFTROJANABUSE.CHSSLBlacklistMaliciousSSLcertificatedetected";flow:established,to_client;content:"|16|";content:"|0b|";within:8;content:"|0900e67b404f24b82af9|";distance:0;content:"|55040a|";distance:0;content:"|18|InternetWidgitsPtyLtd";distance:1;within:25;reference:url,sslbl.abuse.ch;classtype:trojan-activity;sid:10000001;rev:1;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 11

Lab4:WritingSignaturesforPhishing

ThislabwillhaveyoufocusontrafficrelatedtoPhishingwhichisbrokenintomultipleparts—alandingpage,successfulphish,etc.Wewillexaminemultipleexamplesinwhichsignaturesmaybewrittentodetectvariousstagesoftheaphish.Thisisimportant,becauseananalystwillknowhowtoreactdependingonwhattrafficyoucomeacross.UsingthePCAPavailable,writesignaturestodetectonthemalicioustraffic.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Adobe.pcapAdobe.pcapAuserreceivedanemailcontainingaPDFattachmentwithalinktoviewshareddocuments.Writesignaturestodetectthephishingattackchain.

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 12

Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)Adobe.pcapAuserreceivedanemailcontainingaPDFattachmentwithalinktoviewshareddocuments.Writesignaturestodetectthephishingattackchain.First,wewanttodetectthetrickybehaviorthisJavaScriptisupto.Setupyoursignatutelookingattheinbound(from_server)data.Ensurealegithttp_stat_codeispresent,aswellassomecommonheadersforaresponsecontaininghtmlbeforeusingfile_datatoexaminetheactualresponsebody.Lookingathowthepageisrefreshedisstepone.WritethisfirstsignaturefocusingontherefreshmechanismusingsomeofthestaticcontentmatchesfromtheJavaScriptaswellasusingPCREtoaidinthis.Second,thereisasuspiciousdecryptionofaBase64blobevidentinthepageresponse.Basedonthis,wecouldwriteageneric(INFO)signaturetofocusonthissuspiciousbehavior.WritetwosignaturesbasedonthissuspiciousAESdecryptfunctionbyagain,ensuringvariablesensurethiscontentisfoundinthepageresponse.Then,usestaticmatchesintheJavaScriptandmorePCREtoaccountforvariations.Finally,writeasignaturetodetectthesuccessfultransmissionofcredentialstothebadguyserverusingstandardHTTPsignaturecontentsandkeywords.

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 13

Lab4:WritingSignaturesforPhishingAnswers

1.Adobe.pcapalerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSSuspiciousCompoundRefresh-PossiblePhishingRedirect";flow:from_server,established;content:"200";http_stat_code;content:"Content-Type|3a20|text/html";http_header;file_data;content:"<metaHTTP-Equiv=";nocase;content:"refresh";nocase;distance:1;within:8;content:"content=";nocase;distance:0;content:"URL=";nocase;distance:0;within:10;content:"text/javascript";nocase;distance:0;content:"self.location.replace";fast_pattern;nocase;distance:0;content:"window.location";nocase;distance:0;within:30;classtype:trojan-activity;sid:10000001;rev:1;)alerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSAESCryptoObservedinJavascript-PossiblePhishingLanding";flow:established,from_server;file_data;content:"hea2p";distance:0;nocase;content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz";fast_pattern:40,20;distance:0;content:"hea2t";distance:0;nocase;content:"Aes";nocase;distance:0;pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi";classtype:trojan-activity;sid:02;rev:3;)alerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSAESCryptoObservedinJavascript-PossiblePhishingLandingDec28M1";flow:established,from_server;content:"200";http_stat_code;content:"Content-Type|3a20|text/html";http_header;file_data;content:"Aes.Ctr.decrypt";nocase;fast_pattern;pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?256\s*?\)/Rsi";classtype:trojan-activity;sid:03;rev:3;)alerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFCURRENT_EVENTSSuccessfulAdobeOnlinePhish";flow:to_server,established;content:"POST";http_method;content:".php";http_uri;content:"feedback=";nocase;depth:9;http_client_body;fast_pattern;content:"&feedbacknow=";nocase;distance:0;http_client_body;pcre:"/\.php$/U";classtype:trojan-activity;sid:04;rev:1;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 14

Lab5:WritingSignaturesforRansomware

ThislabwillhaveyouexamineCerberransomwarewhichhavebeenobservedlatelyinmasscampaigns.Pleasefollowalongwiththequestionsandcompletetothebestofyourability.Remembertoaskquestionsorconsultthehintsifyougetstuck.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Cerber.pcapCerber.pcap1.WhatisthefirstHTTPRequestbeingmadehere?Whywouldthistakeplace?________________________________________________________________________2.Examinetherequestsinframes9-531.Identifywhatishappeninghere.________________________________________________________________________5.Whatshouldbesig'dwiththemostpriority?Least?________________________________________________________________________6.WriteasignaturetodetecttheCnCrequests7.WriteasignaturetodetecttheExternalIPAddressCheck

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 15

Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)Cerber.pcapThereisalotofstrangeactivityhappeninginthisone,comparedtootherransomwaretrafficweobserve.Firstoffistheprotocol—takenotofthis.Whileexaminingtheserequests,itappearsthereisafixedsizeofthepacket(tcp.len),whichwouldbeuseful.Furthermore,itappearssomeofthecontentinthesepacketsremainthesame,whereasotherpartschange—perhapsaPCREanchoredwouldbebest?Lastly,thereisalotofactivity,sothisrulemightfirealot.Wecanincorporateathresholdtosubsidethenumberofalertsbeinggenerated.

FortheIPCheck,wecanbeprettyspecific,asweknowthisisalegitservicethatprobablyisn’tgoingtobechangingoften,andwewanttoonlyfireonthisspecificIPcheckactivity.Thatbeingsaid,becarefulaboutwhatcategorythisrequestisplacedin.

________________________________________________________________________

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 16

Lab5:WritingSignaturesforRansomwareAnswers

CerberRansomware1.WhatisthefirstHTTPRequestbeingmadehere?Whywouldthistakeplace?ThisisaGETrequesttoadomainthatwillreturnthevictimmachinesCountry,CountryCode,ExternalIPAddress,andASN.ThiscouldtakeplacesotheattackercanidentifyvictimsbasedongeolocationaswellascollecttheIPAddressofthevictimmachine.2.Examinetherequestsinframes9-531.Identifywhatishappeninghere.ThisistheCerberCnCmechanisms.UDPPacketsscanninganIPrangewhichwillhopefullyhitanactiveCnCserver.5.Whatshouldbesig'dwiththemostpriority?Least?CnCCheckin1/2,ExternalIPCheck6.WriteasignaturetodetecttheCnCrequestsalertudp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANRansomware/CerberCheckin2";dsize:9;content:"hi";depth:2;fast_pattern;pcre:"/^[a-f0-9]{7}$/R";threshold:typeboth,trackby_src,count1,seconds60;reference:md5,ac4d7fb5739862e9914556ed5d50f84f;classtype:trojan-activity;sid:2816763;rev:4;)7.WriteasignaturetodetecttheExternalIPAddressCheckalerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANPossibleCerberRansomwareIPCheck";flow:to_server,established;urilen:5;content:"GET";http_method;content:"/json";http_uri;content:"Host|3a20|ipinfo.io";fast_pattern;http_header;content:"GET/jsonHTTP/1.1|0d0a|Host|3a20|ipinfo.io|0d0a0d0a|";depth:39;isdataat:!1,relative;threshold:typethreshold,trackby_src,count2,seconds50;classtype:trojan-activity;sid:2816506;rev:1;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 17

Lab6:MaliciousDocuments

Thislabwillhaveyouanalyzeacommonlyobservedthreattomanyenterprises:themaliciousdocument.Typically,maliciousOfficedocumentsrelyonmacroexecution,embeddedobjects,orexploitstodeliverapayloadontothevictimmachine.Pleasefollowalongwiththequestionsandcompletetothebestofyourability.Remembertoaskquestionsorconsultthehintsifyougetstuck.Yourjobistofirst,identifytheeventsinthePCAPsrecoveredandwriteIDSalertsfortheobservedtraffictodetectitinthefuture.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Maldoc.pcapMaldoc.pcap1.List3interestingbehaviorsoftheMalDocrequest:________________________________________________________________________2.Whataspectsofthisrequestcouldchange?Why?________________________________________________________________________3.Whyisitimportanttodetectthisrequest,asopposedtojustasigcapturingthedownloadedexecutable?________________________________________________________________________4.WriteasignaturetodetecttheMalDocrequest:________________________________________________________________________

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 18

Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)Maldoc.pcapWithmanymaliciousdocuments,thepayloadscanbemovingtargets,soitisimportanttoincludeadatetoreferencewhenthesignaturewascreated.Thatbeingsaid,theURIhasanimportantextensionandvariablethatwouldbeasolidcontent.Furthermore,theUser-Agentiscertainlyunlikemostnormalbrowserrequestsandshouldbeconsidered.Negationsarealsoimportanthere,soastonotconfusethetrafficwithnormalbehavior.Lastly,aPCREcouldbeusefulintheURIbuffer.

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 19

Lab6:MaliciousDocumentsAnswers

MalDoc1.List3interestingbehaviorsoftheMalDocrequest:HTTPRequestMethod,User-Agent,URIparameters2.Whataspectsofthisrequestcouldchange?Why?Requestmethod,User-Agent.Thesecouldchangebasedonthemacrobeingused(BITSvssystemwebrequest,etc).3.Whyisitimportanttodetectthisrequest,asopposedtojustasigcapturingthedownloadedexecutable?Thesetypesofrequestsareimportant,astheyindicatethesourceofthefollow-upexecutable.Additionally,itservesasanotificationthataMalDoc4.Whatkindofinformationshouldyouincludeinthemsgforathreatlikethis?MalDocActivity,Date4.WriteasignaturetodetecttheMalDocrequest:alerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFCURRENT_EVENTSMalDocRetrievingPayloadMay232017";flow:established,to_server;content:".exe?q=";http_uri;content:"User-Agent|3a20|MicrosoftBITS/";fast_pattern:7,20;http_header;content:!"Referer|3a|";http_header;pcre:"/(?:\/ttt\/)?\/[a-z0-9]{3,15}\.exe\?q=[0-9]{1,5}$/Ui";reference:md5,5fa40bfb5a83e473e278d835202087d9;classtype:trojan-activity;sid:100000034;rev:1;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 20

Lab7:WritingSignaturesforExploitKitActivity

AcomputerhasbeenimpactedbyNeutrinoExploitKitwhichdeliveredaransomware.ReviewtheassociatedPCAPandanswerthefollowingquestions.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Neutrino.pcapNeutrino.pcap1.Pleaseidentifyhowtheuserendedupreachingtheexploitkit________________________________________________________________________2.WhatistheURIoftheexploitkitlandingpage?________________________________________________________________________3.WhichframecontainstheGETrequestresultinginthepayloadbeingdelivered?________________________________________________________________________4.Whattypeofexploitappearstohavebeenused/successfulinthisattack?________________________________________________________________________5.Whatisthemd5hashandfilenameoftheFlashfileusedintheexploit?________________________________________________________________________6.Writeasignaturetodetecttheiframeredirect

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 21

7.WriteasignaturetodetecttheEKLandingpagecontents.(Hint:sigtheserverresponsebodyandsetaflowbit)8.WriteasignaturetodetecttheFlashexploit9.Writetwosignatures:onetosetaflowbitontheoutboundpayloadviaGETrequestandonethatfiresonthepayloaddeliveryfromtheserver10.Canyouidentifythepayload?(Hint:itisransomware…)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 22

Withsomehelpfulhints:6.Writingasignaturetodetecttheiframeredirectwillrequiresiggingthestaticcontentsoftheiframe,butbeingmindfulofthingslikespacesandcharactersthatcouldbevariablebetweensamples.Inthiscase,itwouldbeimportanttofindsomeanomalousbehaviorsoftheiframe,anduseaPCREtocapturethestructureasawhole,againbeingcognizantofspacesorcharacters.7.WriteasignaturetodetecttheEKLandingpagecontents.Inthiscasewewillwanttokeyinheavilyontheserverresponsebody.Thereisquiteabitgoingon,sofocusonaversionnumberthatcanbefoundthere,andwellastheanomalousflashfunction.APCREisabsolutelynecessaryhere.8.WriteasignaturetodetecttheFlashexploit.Again,wewillwanttosigtheserverresponsehere.Becausewearelookingforflash,sigtheflashheader(butnottheversion).Wecanthenutilize2PCREstosigonceontheURIstructure,andanothertosignatureonsomeoftheheaders—importantlyRefererandHosthavingthesamevalue(canusePCREcapturevariable?P).9.Writetwosignatures:onetosetaflowbitontheoutboundpayloadviaGETrequestandonethatfiresonthepayloaddeliveryfromtheserver.Forthefirstsig,wewillwriteontheoutboundrequest.Thiswillbeheavilynegatedfromaheaderperspective.WewillwanttowriteaPCREstartingintheUser-Agentfield,andensuringthat‘MSIE’isincluded.WewillwriteasecondPCREtocapturetheURIstructure.Setaflowbit,butwealsodon’twantittoalert.Forthesecondsignature,itwillbefocusingontheserverreply.Obviouslywearelookingforindicatorsintheheaderthatanexecutablepayloadisbeingdownloaded.Utilizetheflowbitwehadjustsetontherequest.Makesomenegationsforcommonfilemagicheaders.APCREonthecontentlengthisagoodchecktoensureitisalargernumberofbytes.

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 23

Lab7:WritingSignaturesforExploitKitActivityAnswers1.PleaseidentifyhowtheuserendedupreachingtheexploitkitAuservisitedacompromisedwebsitewhichcontainedaniframepointingtheusertotheexploitkitlandingpage.2.WhatistheURIoftheexploitkitlandingpage?/slay/a2V2anl3cg3.WhichframecontainstheGETrequestresultinginthepayloadbeingdelivered?1684.Whattypeofexploitappearstohavebeenused/successfulinthisattack?Flash5.Whatisthemd5hashandfilenameoftheFlashfileusedintheexploit?MD5(himself-smell-borrow-32786091.swf)=4b277d7ec974400e2115219b29b27f2a6.Writeasignaturetodetecttheiframeredirectalerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSEvilRedirectorLeadingtoEKJul122016";flow:established,from_server;file_data;content:"|3c7370616e207374796c653d22706f736974696f6e3a6162736f6c7574653b20746f703a2d31|";pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>\s*?>iframesrc=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]>>\/iframe>\s*\n\s*>\/span>/Rsi";classtype:trojan-activity;sid:10000000;rev:2;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 24

7.WriteasignaturetodetecttheEKLandingpagecontents.(Hint:sigtheserverresponsebodyandsetaflowbit)alerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSJob314/NeutrinoRebootEKLandingJuly072016M1";flow:established,from_server;content:"Server|3a20|nginx";http_header;content:!"Cookie|3a20|";file_data;content:"#version=10,1,52,0";content:"always";content:"sameDomain";content:"allowScriptAccess";fast_pattern:only;content:"<object";pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R";flowbits:set,ET.Neutrino;classtype:trojan-activity;sid:100000000;rev:1;)8.WriteasignaturetodetecttheFlashexploitalerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFCURRENT_EVENTSPossibleJob314/NeutrinoRebootEKFlashExploitJan072015M2";flow:established,to_server;content:"x-flash-version|3a|";http_header;fast_pattern;content:!"|0d0a|Cookie|3a|";pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U";pcre:"/Referer\x3a\x20http\x3a\x2f\x2f(?P<host>[^\r\n\x3a\x2f]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=host)(?:\x3a\d{1,5})?\r\n/Hsi";flowbits:set,ET.Neutrino;classtype:trojan-activity;sid:10000000;rev:3;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 25

9.Writetwosignatures:onetosetaflowbitontheoutboundpayloadviaGETrequestandonethatfiresonthepayloaddeliveryfromtheserveralerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFCURRENT_EVENTSPossibleNuclearEKPayloadDec062015M2";flow:to_server,established;content:"Accept|3a20|*/*|0d0a|User-Agent|3a20|";http_header;fast_pattern;content:!"Accept-";http_header;content:!"Referer";http_header;content:!"Cookie|3a|";pcre:"/^User-Agent\x3a\x20[^\r\n]+(MSIE|rv\x3a11\.0|Edge\/)[^\r\n]+\r\nHost\x3a/Hm";pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U";flowbits:set,Neutrino.EK.Payload;flowbits:noalert;classtype:trojan-activity;sid:10000000;rev:1;)alerthttp$EXTERNAL_NETany->$HOME_NETany(msg:"OISFCURRENT_EVENTSNeutrinoEKPayloadJuly082016M1";flow:to_client,established;flowbits:isset,Neutrino.EK.Payload;content:"Content-Type|3a20|application/octet-stream|0d0a|";http_header;fast_pattern:20,20;content:"Server|3a20|nginx";http_header;content:"ETag|3a|";http_header;pcre:"/^Content-Length\x3a\x20(?:[2-9]\d{4,6}|1\d{5,6})\r?$/Hm";file_data;content:!"MZ";within:2;content:!"PK";within:2;content:!"GIF";within:3;content:!"|FFD8FF|";within:3;content:!"CWS";within:3;content:!"ZWS";within:3;isdataat:4,relative;classtype:trojan-activity;sid:10000001;rev:1;)10.Canyouidentifythepayload?(Hint:itisransomware…)CryptXXX

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 26

Lab8:WritingSignaturesforTargetedThreats

Targetedthreatscancomeinmanyforms,andcanbedifficulttodetect.Inthisexercise,wewillexamineanAPTanditsassociatedtraffictoinvestigateandwritesigstodetect.APT/targetedthreatscanemployallthevarioustechniqueswehavepreviouslydiscussed:SSL/TLS,TOR,P2P,DNS,HTTP,andCustomProtocols,thusmakingthemauniqueexperiencetodetect.UsingthePCAPavailable,writesignaturestodetectonthemalicioustraffic.Thislabwillhavetwooptionsto“chooseyourownadventure”.Tocompletetheexercisewithoutanyhelp,continuebelow.Ifyouwanthints,continuetothenextpage.Forthisexercise,pleaseusethePCAPfoundunder~/Labs/Patchwork.pcapPatchwork.pcapAfterplugginginsomeIOCsfromablog,youfindatargetedthreatonyournetwork.WritesignaturesfortheCnCbeacon,FileExfiltration,andSSLcertificate.

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 27

Withsomehelpfulhints:Followthisframeworkforcreatingyoursignatures:alertprotoip_fromport->ip_toport(msg:"MESSAGE";flow:___,___;content:"contents";fast_pattern;content:"content2";distance:10;within:20;pcre:"/content/";sid:1000001;rev:1;)alert(tls|tcp)$EXTERNAL_NET443->$HOME_NETany(msg:"OISFCATEGORYObservedMaliciousSSLCert(MalwareName/Activity)";flow:established:from_server;content"|550403|";content:"|<DecimallengthofdomainnameinHex>|DomainName|2e|com";distance:1;within:<Lengthofbyte+domain>;classtype:trojan-activity;sid:100000000;rev:1;)Patchwork.pcapAfterplugginginsomeIOCsfromablog,youfindatargetedthreatonyournetwork.WritesignaturesfortheCnCbeacon,FileExfiltration,andSSLcertificate.TheCnCBeaconhereisfairlystraightforward.StartbyexaminingtheHTTPPOST.AfewthingsstickoutintheURI—someencodingandaphpfile.Furthermore,someoftheheadersarestrange:besuretonegatenormalheaderswhichshouldexistbutarenotpresent.ThevariableinthecontentbodywhichisPOSTedisveryuniqueandwouldmakeforagoodfast_pattern.Takeadvantageofdepthhereaswell.FileexfiltrationappearstobeusingthesametypeofURIandheaderstructure.Themaindifferenceappearstobeinthehttp_client_bodyinwhichyoushouldbeabletopickoutsomenoteworthydetailstomatchon.FurthermorechecktheURIforsomeencodingwhichaPCREcouldhelpwith.Lastly,theSSLcertshouldberecognizableandtheCNshouldbeeasilysig’dlikewediscussedintheSSL/TLSsection.

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 28

Lab8:WritingSignaturesforTargetedThreatsAnswersPatchwork.pcapalerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANTargetedAutoItFileStealer/DownloaderCnCBeacon";flow:established,to_server;content:"POST";http_method;content:".php?profile=";http_uri;content:"ddager=";depth:7;http_client_body;fast_pattern;content:"&r1=";distance:0;http_client_body;content:!"Accept";http_header;content:!"Referer|3a|";http_header;classtype:trojan-activity;sid:10000006;rev:1;)alerthttp$HOME_NETany->$EXTERNAL_NETany(msg:"OISFTROJANTargetedAutoItFileStealer/DownloaderExfiltratingFile";flow:established,to_server;content:".php?profile=";http_uri;fast_pattern:only;content:"POST";http_method;content:"name=|22|filename|22|";http_client_body;content:"0x";distance:0;http_client_body;content:!"Referer|3a|";http_header;pcre:”/\.php\?profile=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U";classtype:trojan-activity;sid:10000007;rev:1;)alerttls$EXTERNAL_NETany->$HOME_NETany(msg:"OISFTROJANPatchworkAPTSSLCert";flow:established,from_server;content:"|550403|";content:"|08|toigetgf";distance:1;within:9;classtype:trojan-activity;sid:10000008;rev:1;)

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 29

APPENDIX:AQuickReferenceGuidefor

SignatureDevelopment

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 30

PCREBasicsCharacter Definition Example

. Matchanycharacterexceptnewline pcre:”/this.could.be.anything/”; [] Groupingcharactersets pcre:”/[a-f0-9]/”; (?:) Non-capturegroup pcre:”/(?:....)0101/”; * Match0ormoreoftheprecedingitem pcre:”/[a-f]*[A-F]/”; + Match1ormoreoftheprecedingitem pcre:”/[a-f]+[A-F]/”; ? Theprecedingitemisoptionaltocontinuematching pcre:”/[a-f0-9]?secret/”;

{}Indicatesanumberoftheprecedingitemmustbe

matched

pcre:”/[a-f0-9]{32}/”; pcre:”/[0-9]{,2}/”;

pcre:”/[0-9]{10,}/”; pcre:”/[0-9]{8,10}/”;

| IndicatesaBoolean“or”operand pcre:”/[a-f0-9]{16}|[a-f0-9]{24}/”; ^ Anchortothebeginning pcre:”/^[a-z0-9]cyberwat/”; $ Anchortotheend pcre:”/end[a-z0-9]here$/”; \ Usedtoescapespecialcharacters pcre:”/^window\.location/”; \x Denotesahexcharacter pcre:”/HTTP\s1\.[0-9]\x0d\x0a/”; \s Whitespacecharacter pcre:”/^window\s*\.\s*location/”; \r\n CarriageReturnNewLine pcre:”/[^\r\n]+USA.+\r\n/”; \d Digit/Numeral pcre:”/\d{1,3}\./”; \D NOTdigit/numeral pcre:”/(?:[A-Z])\w+\D/”; \w Wordcharacter pcre:”/[0-9]{7}\w{10}/”; \W NOTwordcharacter pcre:”/[0-9]{7}\W{10}/”;

(?=) Positivelookahead pcre:”/ foo(?=bar)/”; (?!) Negativelookahead pcre:”/foo(?!bar)/”;

[^] Negatecharactersincharacterset pcre:”/foo[^\r\n]bar/”;

Flag Buffer PCRETestWebsitesH http_header https://www.debuggex.com/U http_uri http://www.regexr.com/P http_client_body https://regex101.com/C http_cookie http://www.regexpal.com/V http_user_agent i MakesPCREcase-insensitive TIPSTOREMEMBERFOREFFICIENCY:

m Makesselectionmulti-line • AlwaystrytoincludeatleastONEanchorinaPCRE

s Aperiod(.)matchesnewline • Usenon-capturinggroups(?:)asoftenaspossible

R MakesPCRERelative(distance:0;)tolastcontentmatch

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 31

PCREContinuedUsefulPCRE’s

Base64 pcre:”/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/”;

IPv4Address pcre:”/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/”;PercentEncodedB64

pcre:”/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})/”;

Headers(Suri) pcre:”/^Host\x3a\x20[^\r\n]+User-Agent\x3a\x20[^\r\n]+\r\n(?:\r\n)?/Hmi”;MACAddress pcre:”/^[A-F0-9]{8}$/”;UUID pcre:”/^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$/”;GenericPHP pcre:”/\.php$/U”;Hexadecimal pcre:”/[A-F0-9]/”;PrintableASCII pcre:”/[\x20-\x7e]+$/”;HexBasics

Usage CommonlyUsedHexCharactersUsingLiteralHexCharactersinPCRE:

• Place\xbeforethehexcharacter• pcre:”/\x3a\x20\x22/”;

UsageofHexinIDSSignatures:

• Mustplacehexcharactersbetweenpipes(|)o content:”|7468697320697320686578|”;o content:”User-Agent|3a20|Mozilla|0d0a|”;

|3a| \x3a : Colon|22| \x22 “ DoubleQuote|27| \x27 ‘ SingleQuote|20| \x20 Space|3b| \x3b ; Semi-Colon|7c| \x7c | Pipe|28| \x28 ( LeftParenthesis|29| \x29 ) RightParenthesis|0d| \x0d \r CarriageReturn|0a| \x0a \n New-LineFeed

PracticalNetworkSignatureDevelopmentForOpenSourceIDS–Workbook 32

SignatureBasics

alertproto$HOME_NETany->$EXTERNAL_NETany(msg:”TRAININGSampleSig”;content:”something”;depth:9;fast_pattern;content:”something|20|else”;distance:1;within:14;

pcre:”/^something.+something\x20else$/i”;sid:1;rev:1)

Action Protocol Ports HTTPKeywords

alert tcp SinglePort:• 80 http_method; GET,POST,HEAD,etc.

drop udp MultiplePorts:• [80,443,8080] http_uri; URIstring

reject icmp PortRange:• [80:90] http_header; Headerfields(minusCookie)

httpNegation:

• !80• !$HTTP_PORTS

http_user_agentCapturesfieldafterUser-

Agent|3a20|andbefore|0d0a|

tls IPRange:• 10.0.0.0/24 http_client_body; BodyofHTTPrequest

ip SingleIP:• 192.168.2.36 http_cookie; CapturesfieldafterCookie|3a

20|andbefore|0d0a|

file_data; HTTPresponsebody,affectsallcontentafterkeywordisused