IPS/IDS特征识别和签名或规则编写-网络安全专区

IPS/IDS特征识别和签名或规则编写

作者：klwjl 编辑：杨京京 2008-09-02 07:11 来源：IT168�

alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:10;)

这里就是说flow:stateless;也就是TCP状态异常, TCP的flags域是S,12; TCP报文的SEQ域的值是674711609,当然这个是异常特征检测,是针对工具的,没上面的NCODE的开发原理强,当然NCODE写SYNFLOOD是要根据NFR引擎的特性来的,在SNORT 的RULES里没办法这样写.

I) 关于密码策略的检测

1) POP3密码策略,FTP密码策略,SMTP密码策略

func authdata {

$count_array = 0;

my_info = $1;

# Ensure proper variable types are sent.

foreach $i inside (my_info) {

$count_array = $count_array + 1;

$check[$i] = cat(typeof( my_info[$i] ));

}

if( $check["STATUS"] != "int" || $check["IP_ADDR_DST"] != "ipv4host"

|| $check["IP_ADDR_SRC"] != "ipv4host" ||

$check["SERVICE_NAME"] != "str" || $count_array != 6 ) {

return;

}

if( ( $check["PASSWORD"] != "str" && my_info["PASSWORD"] != -1 )

|| ( $check["USERNAME"] != "str" && my_info["USERNAME"] != -1 ) ) {

return;

}

$ipsrc = my_info["IP_ADDR_SRC"];

$ipdst = my_info["IP_ADDR_DST"];

$service = my_info["SERVICE_NAME"];

$data_recorded = 0;

#Assign string if username and password are encrypted or unavailable..

if ( my_info["USERNAME"] != -1 ) {

$user = my_info["USERNAME"];

} else {

$user = "Username encrypted or not available.";

}

#Check for values setting and set record password accordingly.

if ( my_info["PASSWORD"] != -1 ){

if(RECORD_PASSWORDS == 0){

$password_record = "********";

} else $password_record = my_info["PASSWORD"];

} else {

$password_record = "Password encrypted or not available.";

}

#Check for values setting and set alert password accordingly.

if ( my_info["PASSWORD"] != -1 ){

if(ALERT_PASSWORDS == 0){

$password_alert = "********";

} else $password_alert = my_info["PASSWORD"];

} else {

$password_alert = "Password encrypted or not available.";

}

#Failure Alert

if( my_info["STATUS"] == 0){

if ( BADFREQUSER[$user]) {

BADFREQUSER[$user] = BADFREQUSER[$user] + 1;

} else {

BADFREQUSER[$user] = 1;

}

$key = blobbytes(my_info["IP_ADDR_SRC"], my_info["IP_ADDR_DST"]);

if (BADFREQIP[$key]) {

BADFREQIP[$key] = BADFREQIP[$key] + 1;

} else {

BADFREQIP[$key] = 1;

}

#Assign success, failure, undetermined..

if( my_info["STATUS"] == 1 ) {

$status = "Success";

} else {

if( my_info["STATUS"] == 0 )

$status = "Failure";

else

$status = "Undetermined";

}

这个是NFR NCODE里的内容,这里的密码主要基于明文密码,NFR引擎做密码缓存, Password encrypted or not available,这里说明加密的密文口令不认,现在的NFR的源代码里加入telnet和SMB的协议,telnet协议是三元协商协议,解码后得到user和password,SMB也可以部分解包,认出密码长度,这样在authentication里就可以检测口令是不是弱口令

J) 关于网络蠕虫的特征分析

1) 熊猫烧香

分析熊猫烧香病毒的主要方法就是下面几点:

A) EXE本身的签名特征:

这个病毒是用FSG加壳工具加过壳的,我们可以考虑解一下壳

这里用unfsg工具:

下面是解壳之后EXE的特征:

特征一是:IPC$破解口令的部分,他用的密码字典,我们可以检测SMB协议,看是否存在弱口令破解,但是NFR还是SNORT没有能力做SMB口令的解码,SMB口令都是被HASH的.

第1页：IPS/IDS特征识别和签名或规则编写第2页：规则或签名要素第3页： TCP CONTROL部分第4页： MSN检测第5页： alert( source_qqliveudpdata, 第6页： EMAIL相关攻击的签名第7页：SMB微软网络共享协议的特征和识别第8页：关于密码策略的检测第9页：上面看到的是病毒通过SMB协议写入病毒代码的部分第10页：Sequence number

关注我们