if ((substr(udp.blob,0,2) == "\x91\x00") || (substr(udp.blob,0,2) == "\x92\x00"))
{
if(substr(udp.blob,3,11) == "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
{
alert( source_qqliveudpdata, qqlive_udp_datatrans_alert,
ip.src, ip.dst,
"--AlertDetails", "ALERT_ID", "988-002-002",
"ALERT_SEVERITY", "info",
"ALERT_IMPACT", "information gathering",
"ALERT_EVENT_TYPE","logging",
"ALERT_ASSESSMENT", "unknown",
"IP_PROTO_NUM", 17,
"IP_ADDR_SRC", ip.src,
"PORT_SRC", udp.sport,
"IP_ADDR_DST", ip.dst,
"PORT_DST", udp.dport,
"QQLIVE METHOD","_2");
}
}
}
这些软件都属于P2P软件类,他们的数据报大概有几种类型:
1) HTTP 访问类,主要是软件界面的交互要的,一般不专门做特征的查找,因为随着P2P软件的升级,这部分改动比较大,这样签名还要修改,不太值得做.
2) TCP CONTROL的部分,主要走TCP软件控制协议,尽量找特征
3) TCP DATA的部分,主要走TCP数据部分,有时候走的是加密数据,一般不用抓特征,但是有时候也能有特征,他的特征容易误报
4) UDP CONTROL的部分,主要走UDP软件控制协议,尽量找特征
5) UDP DATA的部分,主要走UDP数据部分, 有时候走的是加密数据,一般不用抓特征,但是有时候也能有特征,他的特征容易误报
6) 端口可以作为检测条件,端口可以给定在一定范围内,这样可以减少误报
D) 基于HTTP协议的软件或相关漏洞的攻击特征
1) REDCODE检测
SNORT RULES 2.3里检测redcode 2的办法是:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;)
检测URI里是否包含/root.exe
在NFR里检测还是比较合理的:
KEY_IDA = 14;
CODERED_VARIANTS["/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a"] = "CodeRed";
CODERED_VARIANTS["/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a"] = "CodeRed II";
if (KEY_IDA inside $matched &&
strlen($uri) > IISISAPI_INDEXING_BUFSIZE) {
if (CODERED_VARIANTS[$uri]) {
alert(www_iis_source, codered_alert,
tcp.connsrc, tcp.conndst,
substr(CODERED_VARIANTS[$uri], 0, 1024),
"--AlertDetails", "ALERT_ID", "27-64",
"ALERT_CONFIDENCE", _:confidence(90),
"ALERT_SEVERITY", "high",
"ALERT_IMPACT", "code execution",
"ALERT_EVENT_TYPE", "attack",
"ALERT_ASSESSMENT", "unknown",
"CONTEXT", attack:context(codered_alert),
"IP_PROTO_NUM", 6,
"IP_ADDR_SRC", tcp.connsrc,
"PORT_SRC", tcp.connsport,
"IP_ADDR_DST", tcp.conndst,
"PORT_DST", tcp.conndport,
"CMD_NAME", $ci[_:CLIENT_METHOD],
"HTTP_URL", $uri);
record _:CURRENT_TIME(), tcp.connsrc, tcp.connsport,
tcp.conndst, tcp.conndport, CODERED_VARIANTS[$uri],
$uri to MYRECORDER;
misc_attacks:rec(_:CURRENT_TIME(), scope(),
CODERED_VARIANTS[$uri], tcp.connsrc, tcp.conndst);
return (1);
} else {
alert(www_iis_source, , iisindexing_alert,
tcp.connsrc, tcp.conndst, strlen($uri),
"--AlertDetails", "ALERT_ID", "27-65",
"ALERT_CONFIDENCE", _:confidence(90),
"ALERT_SEVERITY", "high",
"ALERT_IMPACT", "code execution",
"ALERT_EVENT_TYPE", "attack",
"ALERT_ASSESSMENT", "unknown",
"CONTEXT", attack:context(iisindexing_alert),
"IP_PROTO_NUM", 6,
"IP_ADDR_SRC", tcp.connsrc,
"PORT_SRC", tcp.connsport,
"IP_ADDR_DST", tcp.conndst,
"PORT_DST", tcp.conndport,
"CMD_NAME", $ci[_:CLIENT_METHOD],
"HTTP_URL", $uri);
record _:CURRENT_TIME(), tcp.connsrc, tcp.connsport,
tcp.conndst, tcp.conndport,
"IIS Indexing Service Buffer Overflow Attempt", $uri
to MYRECORDER;
misc_attacks:rec(_:CURRENT_TIME(), scope(),
"IIS Indexing Service Buffer Overflow Attempt",
tcp.connsrc, tcp.conndst);
return (1);
}
}
NCODE里讲检测REDCODE是检测他溢出传播的过程,我认为做的还是比较合理,他检测如果URI里的数据长度超过上限,大家可以认为是IIS Indexing Service Buffer Overflow Attempt,如果下面一个条件(CODERED_VARIANTS在URI里存在)符合就是redcode传播
总结一下:检测这个URL的病毒,最好不要检测病毒体最后的名称,因为变种病毒很多,最好检测病毒的发作原理,SNORT有他自己的缺点,在这方面不是一两个规则能描述清楚的
