IDS Gone Bad - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

IDS Gone Bad

Description:

Free 'Simple rules language' 5. Snort Perl. A hack written in December of 2002 ... Use 'This is my secure password' as key. On detection. Attempt to decrypt ... – PowerPoint PPT presentation

Number of Views:26
Avg rating:3.0/5.0
Slides: 17
Provided by: jsmi52
Category:
Tags: ids | bad | free | gone | hacking | password | software

less

Transcript and Presenter's Notes

Title: IDS Gone Bad


1
IDS Gone Bad
  • Brian Caswell
  • bmc_at_shmoo.com

2
Intro
  • "Principle" Research Engineer _at_ Sourcefire
  • Author Tech Editor of Syngress's "Snort 2.1
  • Ex snort-rules nazi, 4 years running
  • perl monkey
  • c-diot

3
Agenda
  • Snort
  • Snort Perl
  • Snort Perl new rules via packets
  • Snort Perl new detection functionality via
    packets
  • Snort Perl attack functionality via packets
  • Snort as a worm

4
Snort
  • IDS
  • Free
  • Simple rules language

5
Snort Perl
  • A hack written in December of 2002
  • Added perl "eval" functionality as a detection
    keyword
  • UGLY
  • SLOW
  • Painful to write detection functionality

6
Snort Perl (now)
  • Not as ugly
  • Not as slow
  • Not as hackish
  • Massively cool )

7
Snort Perl Detection Plugins
  • Arbitrary Perl detection plugins
  • Limited parameters passed to perl
  • Payload
  • IPs
  • Ports
  • Protocol
  • (Oh, and any info returned by the parser
    detection plugin)
  • Any perl module can be loaded, even those that
    link in C

8
Snort Perl Loading Rules off the wire
  • New detection plugin, rule
  • alert tcp any any -gt any any (msg"Added a
    rule!" rule"This is my secure password")
  • On Snort init
  • Create a new CryptCBC cipher object via
    blowfish
  • Use This is my secure password as key
  • On detection
  • Attempt to decrypt
  • If it smells like a rule, load it!

9
DEMO!
  • See snort with only one rule
  • See packet with the payload "evil!
  • See packet with the encrypted payload of a rule
    that looks for "evil!"
  • See packet with the payload "evil!"
  • See alert fire

10
Snort Perl Loading Plugins off the wire
  • New Detection Plugin "plugin"
  • alert tcp any any -gt any any (msg"Added a
    plugin!" plugin"This is my secure password")
  • On Snort init
  • Create a new CryptCBC cipher object using
    blowfish
  • Use This is my secure password as key
  • On detection
  • Attempt to decrypt
  • If it smells like a plugin, load it!

11
DEMO!
  • See snort with only one rule
  • See packet with the payload "system('touch
    /tmp/evil')
  • See no file /tmp/evil
  • See packet with the encrypted payload of a
    detection plugin to run "system" commands
  • See packet with the encrypted payload of a rule
    that uses the detection plugin
  • See packet with the payload "system('echo shmoo
    rules gt /tmp/evil')
  • See shmoo rules in /tmp/file

12
Snort Perl Metasploit
  • New Detection Plugin "hack"
  • Banner Grab
  • Call metasploit with appropriate arguments

13
DEMO!
  • See snort with rule using "hack" plugin
  • See network traffic that calls hack plugin
  • See box get hacked

14
Snort Perl Metasploit Worm
  • See vulnerable service
  • Attack vulnerable service via metasploit
  • Upload Snort
  • Start Snort

15
Now for some better uses
  • Patch management
  • Policy Enforcement
  • Cool Party Tricks

16
Thanks
  • Buy my book!
  • http//www.shmoo.com/bmc/software/snort-perl/
  • bmc_at_shmoo.com
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IDS Gone Bad" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!