IPS/IDS特征识别和签名或规则编写-网络安全专区

IPS/IDS特征识别和签名或规则编写

作者：klwjl 编辑：杨京京 2008-09-02 07:11 来源：IT168�

3. 分类说明如何识别网络软件或攻击特征

(下列特征和演示例子不是检测的全部内容,这里就是举的例子,用来说明问题的,是真的检测代码的一个小部分)

A) P2P类软件

1) EMULE检测

它包括UDP的特征和TCP的特征,这里就举一个UDP抓包的例子

为了消除误报,可以将检测端口放到1024以上.加上过滤条件

下面的图是EMULE的UDP的包

if(substr(udp.blob,0,1) == "\xe4") #第一个字节是0xe4

{

if((substr(udp.blob,1,1) == "\x20") ||

(substr(udp.blob,1,1) == "\x21") || #第2个字节是0x21

(substr(udp.blob,1,1) == "\x00") ||

(substr(udp.blob,1,1) == "\x10") ||

(substr(udp.blob,1,1) == "\x18") ||

(substr(udp.blob,1,1) == "\x52") ||

(substr(udp.blob,1,1) == "\x58") ||

(substr(udp.blob,1,1) == "\x59") ||

(substr(udp.blob,1,1) == "\x28") ||

(substr(udp.blob,1,1) == "\x50") ||

(substr(udp.blob,1,1) == "\x40") )

{

alert(emule_source,emule_datatransfer_alert, ip.src,udp.sport, ip.dst,udp.dport,

"--AlertDetails", "ALERT_ID", "096-022-001", "ALERT_CONFIDENCE", 90,

"ALERT_SEVERITY", "low",

"ALERT_IMPACT", "unknown",

"ALERT_EVENT_TYPE", "probe",

"ALERT_ASSESSMENT", "unknown",

"IP_PROTO_NUM", 17,

"IP_ADDR_SRC", ip.src,

"PORT_SRC", udp.sport,

"IP_ADDR_DST", ip.dst,

"PORT_DST", udp.dport,

"ed2k","ED2K PROTOCOL DATA TRANSFER 2");

}

下面举个TCP的例子

if(substr(tcp.blob,0,1) == "\xc5") #0xc5 第0位

{

if((substr(tcp.blob,5,1) == "\x01") ||

(substr(tcp.blob,5,1) == "\x02") ||

(substr(tcp.blob,5,1) == "\x04") ||

(substr(tcp.blob,5,1) == "\x60") ||

(substr(tcp.blob,5,1) == "\x61") ||

(substr(tcp.blob,5,1) == "\x81") ||

(substr(tcp.blob,5,1) == "\x82") ||

(substr(tcp.blob,5,1) == "\x87") ||

(substr(tcp.blob,5,1) == "\x85") ||

(substr(tcp.blob,5,1) == "\x86") ||

(substr(tcp.blob,5,1) == "\x90") ||

(substr(tcp.blob,5,1) == "\x91") ||

(substr(tcp.blob,5,1) == "\x93")) #0xc5 第5位

{

alert(emule_source,emule_extensions_alert, ip.src,udp.sport, ip.dst,udp.dport,

"--AlertDetails", "ALERT_ID", "096-022-001", "ALERT_CONFIDENCE", 90,

"ALERT_SEVERITY", "low",

"ALERT_IMPACT", "unknown",

"ALERT_EVENT_TYPE", "probe",

"ALERT_ASSESSMENT", "unknown",

"IP_PROTO_NUM", 6,

"IP_ADDR_SRC", ip.src,

"PORT_SRC", udp.sport,

"IP_ADDR_DST", ip.dst,

"PORT_DST", udp.dport,

"ed2k","ED2K Extensions(Emule) PROTOCOL DATA TRANSFER");

}

总结一下:关于特征,如果不是协议特征攻击方面的,就不要找PAYLOAD以外的其他元素,在PAYLOAD里找不一定都是PAYLOAD的头一个字节开始,而且特征都不是一定连续的,可能跳多少个字节才有特征,这个最好把关键的包打印下来,在纸面上比较比较,暂时没有太好的工具来计算特征,所谓特征包,就是能重复出现的包,不论是一台机器上,也不论是一个网段里.

2) BT检测

BT的UDP特征检测

if ((substr(udp.blob,0,4) == "d1:a") || (substr(udp.blob,0,4) == "d1:r")) #这个特

#征比较明显,就是找到字符串是d1:ad2:id20: 或者是 d1:rd2:id20

{

if (substr(udp.blob,4,8) == "d2:id20:")

{

alert( source_bitudp, bit_udp_datatrans_alert,

ip.src, ip.dst,

"--AlertDetails", "ALERT_ID", "982-002-002",

"ALERT_SEVERITY", "low",

"ALERT_IMPACT", "information gathering",

"ALERT_EVENT_TYPE","logging",

"ALERT_ASSESSMENT", "unknown",

"IP_PROTO_NUM", 17,

"IP_ADDR_SRC", ip.src,

"PORT_SRC", udp.sport,

"IP_ADDR_DST", ip.dst,

"PORT_DST", udp.dport,

"BT METHOD","_9");

}

BT的TCP特征

if (substr($blob,1,19) == "BitTorrent protocol") { #从第1个字节开

#始算特征, "BitTorrent protocol" 是BT软件开始应用层握手的信息

$confidence = 80;

# let’s ID this sucker

$ind = substr($blob, (1 + $hdr_len + 8 + 20 + 1), 2);

debug:trace(" $ind = ",$ind, " $offset = ",(1 + $hdr_len + 8 + 20 + 1));

$client = BT_CLIENT_DB [$ind];

if ($client == NULL) { # XXX wait, there’s more

$client = "unknown";

if (BT_CLIENT_DB[substr($ind,0,1)]) {

$client = BT_CLIENT_DB[substr($ind,0,1)];

}

第1页：IPS/IDS特征识别和签名或规则编写第2页：规则或签名要素第3页： TCP CONTROL部分第4页： MSN检测第5页： alert( source_qqliveudpdata, 第6页： EMAIL相关攻击的签名第7页：SMB微软网络共享协议的特征和识别第8页：关于密码策略的检测第9页：上面看到的是病毒通过SMB协议写入病毒代码的部分第10页：Sequence number

关注我们