Extending snort, without knowing C for dirt - PowerPoint PPT Presentation

1 / 71
About This Presentation
Title:

Extending snort, without knowing C for dirt

Description:

Co-author of one of the plugins discussed in this presentation ... Buy flak jackets to save us from the rest of the Snort developers. Ok, that's it. Thanks ... – PowerPoint PPT presentation

Number of Views:198
Avg rating:3.0/5.0
Slides: 72
Provided by: tri5428
Category:

less

Transcript and Presenter's Notes

Title: Extending snort, without knowing C for dirt


1
Extending snort, without knowing C for dirt
  • Brian Caswell

2
Thanks
  • Jeff Nathan (jeff_at_snort.org)
  • Co-author of one of the plugins discussed in this
    presentation
  • Co-author of any number of slides for this
    presentation
  • Sourcefire (http//www.sourcefire.com)
  • Paying me to work on snort
  • Michelle (my wife)
  • Who let me skip out on watching our son and new
    puppy to give this presentation

3
The life of a packet through Snorts detection
engine
4
Overview of protocol decoding and protocol
anomaly detection
  • Static Decoders
  • Normalization of Data

5
Recent detection improvements
  • Advanced content options (distance, within,
    byte_test and byte_jump)
  • All purpose state engine (conversation)
  • Improved message passing between components

6
Distance
  • contentSITE contentEXEC distance0

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
7
Distance
  • contentSITE contentEXEC distance0

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
8
Distance
  • contentSITE contentEXEC distance0

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
9
Distance
  • contentSITE contentEXEC distance0

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
10
Within
  • contentSITE content!0a within50

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
11
Within
  • contentSITE content!0a within50

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
12
Within
  • contentSITE content!0a within50

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
13
Within
  • contentSITE content!0a within50

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
14
Byte Test
  • content" LSUB 22" content"22 "
    distance0 byte_test5,gt,256,0,string,dec,relativ
    e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
15
Byte Test
  • content" LSUB 22" content"22 "
    distance0 byte_test5,gt,256,0,string,dec,relativ
    e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
16
Byte Test
  • content" LSUB 22" content"22 "
    distance0 byte_test5,gt,256,0,string,dec,relativ
    e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
17
Byte Test
  • content" LSUB 22" content"22 "
    distance0 byte_test5,gt,256,0,string,dec,relativ
    e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
18
Byte Test
  • content" LSUB 22" content"22 "
    distance0 byte_test5,gt,256,0,string,dec,relativ
    e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
19
Byte Test
  • content" LSUB 22" content"22 "
    distance0 byte_test5,gt,256,0,string,dec,relativ
    e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
20
Byte Jump
  • content"00 00 00 00" offset8 depth4
    content"00 01 86 F3" offset16 depth4
    content"00 00 00 07" distance4 within4
    byte_jump4,4,relative,align byte_jump4,4,relati
    ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
21
Byte Jump
  • content"00 00 00 00" offset8 depth4
    content"00 01 86 F3" offset16 depth4
    content"00 00 00 07" distance4 within4
    byte_jump4,4,relative,align byte_jump4,4,relati
    ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
22
Byte Jump
  • content"00 00 00 00" offset8 depth4
    content"00 01 86 F3" offset16 depth4
    content"00 00 00 07" distance4 within4
    byte_jump4,4,relative,align byte_jump4,4,relati
    ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
23
Byte Jump
  • content"00 00 00 00" offset8 depth4
    content"00 01 86 F3" offset16 depth4
    content"00 00 00 07" distance4 within4
    byte_jump4,4,relative,align byte_jump4,4,relati
    ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
24
Byte Jump
  • content"00 00 00 00" offset8 depth4
    content"00 01 86 F3" offset16 depth4
    content"00 00 00 07" distance4 within4
    byte_jump4,4,relative,align byte_jump4,4,relati
    ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
25
Byte Jump
  • content"00 00 00 00" offset8 depth4
    content"00 01 86 F3" offset16 depth4
    content"00 00 00 07" distance4 within4
    byte_jump4,4,relative,align byte_jump4,4,relati
    ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
26
Byte Jump
  • content"00 00 00 00" offset8 depth4
    content"00 01 86 F3" offset16 depth4
    content"00 00 00 07" distance4 within4
    byte_jump4,4,relative,align byte_jump4,4,relati
    ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
27
Byte Jump
  • content"00 00 00 00" offset8 depth4
    content"00 01 86 F3" offset16 depth4
    content"00 00 00 07" distance4 within4
    byte_jump4,4,relative,align byte_jump4,4,relati
    ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
28
Advantages and Disadvantages of static software
  • Advantages
  • Relatively Fast
  • State-based implementations
  • Disadvantages
  • Users are not programmers
  • Requires recompilation of the entire system
  • Requires specific knowledge of the protocol (in
    addition to Snort)

29
The promise of advanced rules
  • A quicker development cycle for discrete protocol
    anomaly detection
  • Only requires knowledge of Snorts rule language
    and the protocol itself
  • NO NEED TO LEARN C

30
Where existing advanced rules and preprocessors
fall short
  • New preprocessors can require significant
    development time
  • Preprocessors rely on Snorts pattern matching
    for detection of normalized data
  • No advanced constructs (loops, regex, and data
    munging)
  • Not all vulnerabilities can be covered with
    advanced rules and existing preprocessors

31
(No Transcript)
32
A new solution sp_perl
  • Two new detection keywords
  • perlre provides real regular expressions
  • perl provides runtime evaluation of virtually
    any perl code

33
sp_perl, are we nuts?
  • Extensibility through perl
  • No additional CPU cost for non-perl rules
  • Rapid updates to Snorts detection capabilities
    without re-implementing N-CODE

34
OK, so were nuts. How does this actually work?
  • Create an embedded perl interpreter
  • Parse all the rules and store perl data for later
  • When a perl rule option is triggered
  • Push the rule, payload, and IP data onto the
    perl stack
  • Eval the perl rule
  • Check the return code of eval

35
Embedded perl
  • PerlInterpreter my_perl perl_alloc()
  • perl_construct(my_perl)
  • perl_parse(my_perl, NULL, 2, perl_cmdline_opts,
    NULL)
  • perl_run(my_perl)
  • perl_destruct(my_perl)
  • perl_free(my_perl)

36
OK, but how does that work inside of Snort?
  • SetupPerlKungFoo()
  • Verifies the file with our perl functions is
    there
  • Registers our keywords as valid detection options
  • Allocates a runtime perl interpreter
  • Initializes the perl stack for our runtime
    interpreter
  • Parses our perl file to get our functions into
    the runtime environment
  • Stores the persistent data specific to sp_perl in
    the OptTreeNode(s)

37
sp_perl, what the ugly C does
  • Calls perl_regex with the pattern, type of test
    (perl vs perlre), along with the packet
  • Pushes args onto a local copy of the perl stack,
    then replace the global perl stack with our stack
  • Calls the appropriate perl function using the new
    global perl stack
  • Pops the return code from the perl stack, convert
    to an integer
  • Returns the next test on the OptTreeNode on
    success, otherwise 0

38
Example Rules
39
IMAP LSUB Buffer Overflow
  • CAN-2000-0284
  • 11/11-104541.482210 172.16.2.13033012 -gt
    10.2.2.250143
  • AP Seq 0x6F578C60 Ack 0xFE6E84A1 Win
    0x16D0 TcpLen 32
  • 31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
    1 LSUB "" 1064
  • 0D 0A
    ..
  • 11/11-104541.482699 10.2.2.250143 -gt
    172.16.2.13033012
  • AP Seq 0xFE6E84A1 Ack 0x6F578C72 Win
    0x7BFC TcpLen 32
  • TCP Options (3) gt NOP NOP TS 26213694 338288987
  • 2B 20 52 65 61 64 79 20 66 6F 72 20 61 72 67 75
    Ready for argu
  • 6D 65 6E 74 0D 0A
    ment..
  • 11/11-104541.483459 172.16.2.13033012 -gt
    10.2.2.250143
  • AP Seq 0x6F578C72 Ack 0xFE6E84B7 Win
    0x16D0 TcpLen 32
  • 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    ................
  • 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
    ................

40
IMAP LSUB Buffer Overflow, continued
  • Our content
  • 1 LSUB 1064\r\nSHELLCODEHERE
  • So how do we detect this?
  • Regex
  • Regex and some math

41
IMAP LSUB Buffer Overflow, regex
  • 1 LSUB 1064\r\nSHELLCODEHERE
  • Regex
  • \w\sLSUB\s"\s\d4,

42
IMAP LSUB Buffer Overflow, regex and some math
  • 1 LSUB 1064\r\nSHELLCODEHERE
  • Regex
  • \w\sLSUB\s"\s(\d)
  • Math
  • 1 gt 1000

43
IMAP LSUB Buffer Overflow, the rules
  • alert ip any any -gt any any (perlre/\w\sLSUB\s
    "\s\d4,/)
  • alert ip any any -gt any any (perl"content
    /\w\sLSUB\s"\s(\d)/\ 1 gt
    1000")

44
IMAP LSUB Buffer Overflow, the optimized rules
  • alert tcp any any -gt any 143 (flowto_server,estab
    lished contentLSUB perlre/\w\sLSUB\s
    "\s\d4,/)
  • alert tcp any any -gt any 143 (flowto_server,estab
    lished contentLSUB perl"content
    /\w\sLSUB\s"\s(\d)/\ 1 gt
    1000")

45
FTP Port Bounce
  • CVE-1999-0017
  • 12/31--50000.007051 10.1.1.2543161 -gt
    10.1.1.11321
  • AP Seq 0x4FE9C1C4 Ack 0x1E001761 Win
    0x7D78 TcpLen 32
  • 70 6F 72 74 20 31 37 32 2C 31 36 2C 30 2C 33 32
    port 172,16,0,32
  • 2C 31 32 2C 37 32 0A
    ,12,72.

46
FTP Port Bounce, continued
  • Our content
  • port 172,16,0,32,12,72\n
  • So how do we detect this?
  • Regex and some perl

47
FTP Port Bounce, regex and some perl
  • port 172,16,0,32,12,72
  • Regex
  • content /port\s(\d),(\d),(\d),(\d)/
  • The Perl
  • srcip ne 1.'.'.2.'.'.3.'.'.4

48
FTP Port Bounce, the rules
  • alert tcp any any -gt any 21 ( flowto_server,estab
    lished contentport nocase perl"content
    /port\s(\d),(\d),(\d),(\d)/i srcip ne
    1.'.'.2.'.'.3.'.'.4")

49
HTTP Unknown Version
  • 04/06-200412.457297 10.200.1.10033599 -gt
    66.35.250.15080
  • TCP TTL64 TOS0x0 ID58321 IpLen20 DgmLen56 DF
  • AP Seq 0xDD594D3E Ack 0xAEE Win 0x1490
    TcpLen 20
  • 47 45 54 20 2F 20 48 54 54 50 2F 30 2E 32 0A 0A
    GET / HTTP/0.2..

50
HTTP Unknown Version, continued
  • Our content
  • GET / HTTP/0.2\n\n
  • So how do we detect this?
  • Regex
  • Regex and some perl

51
HTTP Unknown Version, regex
  • GET / HTTP/0.2\n\n
  • Regex
  • \sHTTP/(0\.91\.11\.0)\r0,1\n

52
HTTP Unknown Version, regex and some perl
  • GET / HTTP/0.2\n\n
  • Regex
  • \sHTTP/(\n)\n
  • Perl
  • 1 ne '1.1' 1 ne '1.0' 1 ne '0.9'

53
HTTP Unknown Version, the rules
  • alert tcp any any -gt any 80 (flowto_server,establ
    ished contentHTTP perlre\sHTTP/(0\.91\.11
    \.0)\r0,1\n)
  • alert tcp any any -gt any 80 (flowto_server,establ
    ished contentHTTP perl"content !
    HTTP/(.3)! 1 ne '1.1' 1 ne '1.0' 1
    ne '0.9'")

54
Even more advanced foo
  • So, you want one or two specific rules to email
    you when they fire.
  • Add this to snort.pl
  • sub insane
  • my (srcip,content) _at__
  • use NetSMTP
  • my server "mail.server.com" my email
    "perlfoo\_at_snort.org"
  • my smtp NetSMTP-gtnew(server) die
    "Can't connect to mail server"
  • smtp-gtmail(from) smtp-gtto(to)
    smtp-gtdata()
  • smtp-gtdatasend("To email\nFrom email\n")
  • smtp-gtdatasend("Subject perl alert - srcip
    srcip\n\ncontent\n")
  • smtp-gtdataend() smtp-gtquit()
  • Then use it in your rule
  • insane(srcip,content)

55
Whats wrong with sp_perl
  • Slow. Eval kills us
  • Embedding perl. Yes, thats nuts
  • No method to make sure our users didnt write
    dumb code

56
Another solution, pcre
  • Perl style compatible regular expressions
  • 70 of the perl win without perl
  • Decently fast
  • Only took about an hour to hook in ?

57
PCRE? How does that work?
  • Call pcre_compile with re and compile time flags
  • Call pcre_study to optimize the re
  • For each packet, call pcre_exec with our re,
    study data, run time flags, and our payload
  • Check the return code of pcre_exec

58
PCRE compile time flags
  • Anchored
  • Just like using
  • Nocase
  • case insensitive
  • eos_matches_on_eos_only
  • Make look for the end of the string, not each
    EOL
  • dot_includes_newline
  • Without it . wont match on \n (very useful in
    combination with multiline)
  • Multiline
  • Treat the packet as one big line of characters
    so and match on the beginning of the
    packet and end of the packet
  • not_greedy
  • Dont try and match as many times as possible,
    just give us the minimum (not compatable with
    perl)
  • Utf8
  • Treat both the pattern and packet as strings of
    utf8 characters

59
PCRE run time flags
  • not_begining_of_line
  • The first character of the payload isnt the
    beginning of a line (changes how works)
  • not_eol
  • The end of the string isnt by default an end of
    a line (Changes how works)
  • not_empty
  • An empty string can be a valid match (if it
    passes all the re)
  • relative
  • Match relative to the end of the last content
    match (like using distance0)
  • dump_config
  • Dump out the configuration for each pcre after it
    is built

60
PCRE vs IMAP LSUB Buffer Overflow
  • 1 LSUB 1064\r\nSHELLCODEHERE
  • alert tcp any any -gt any 143 (flowto_server,estab
    lished pcre\w\sLSUB\s\\\\s\d4,
    , nocase)

61
Future Work with sp_perl
  • Figure out how to pass the entire packet struct
    in and out of perl
  • Add in relative matching
  • Create anonymous subroutines for each perl call,
    which gets us out of having to eval
  • Instead of raw perl, use swig
  • Buy flak jackets to save us from the rest of the
    Snort developers

62
Ok, thats it. Thanks
  • (Or Give me a second, and we can look at the
    source)

63
sp_perl
  • www.snort.org/dl/contrib/snort_perl

64
  • int perl_regex(int type, char operation, Packet
    p)
  • int n
  • dSP / initialize stack pointer
    /
  • ENTER / everything created after
    here /
  • SAVETMPS / ...is a temporary
    variable. /
  • PUSHMARK(sp) / remember the stack pointer
    /
  • XPUSHs(sv_2mortal(newSVpvn(p-gtdata,p-gtdsize)))
    / push payload onto stack /
  • XPUSHs(sv_2mortal(newSVpv(operation,0)))
    / push operation onto stack /
  • XPUSHs(sv_2mortal(newSVuv(p-gtiph-gtip_src.s_add
    r))) / push srcip onto stack /
  • XPUSHs(sv_2mortal(newSVuv(p-gtiph-gtip_dst.s_add
    r))) / push dstip onto stack /
  • XPUSHs(sv_2mortal(newSViv(p-gtsp))) / push
    srcport onto stack /
  • XPUSHs(sv_2mortal(newSViv(p-gtdp))) / push
    srcport onto stack /
  • PUTBACK / make local stack pointer
    global /

65
  • / call the specified function /
  • if (type SNORT_PERL_EXEC)
  • perl_call_pv("run_code", G_ARRAY)
  • else
  • perl_call_pv("regex", G_ARRAY)
  • SPAGAIN / refresh our local copy of
    the global stack pointer /
  • n POPi / fetch the return code from
    perl /
  • PUTBACK
  • FREETMPS / free that return value
    /
  • LEAVE / ...and the XPUSHed
    "mortal" args./
  • return n / return our return code
    from perl /

66
sp_pcre
  • www.snort.org/dl/contrib/snort_pcre

67
  • int SnortPcre(Packet p, struct _OptTreeNode
    otn, OptFpList fp_list)
  • PcreData pcre_data / pointer to the eval
    string for each test /
  • int rc
  • int ovectorSNORT_PCRE_OVECTOR_SIZE
  • char base_ptr, end_ptr, start_ptr
  • int dsize
  • int depth
  • / get my data /
  • pcre_data (PcreData ) fp_list-gtcontext
  • if (p-gtpacket_flags PKT_ALT_DECODE)
  • dsize p-gtalt_dsize
  • start_ptr (char )DecodeBuffer
  • else
  • dsize p-gtdsize
  • start_ptr (char ) p-gtdata

68
  • base_ptr start_ptr
  • end_ptr start_ptr dsize
  • if(doe_ptr)
  • if(!inBounds(start_ptr, end_ptr,
    doe_ptr))
  • doe_ptr NULL
  • return 0
  • if(pcre_data-gtrelative doe_ptr)
  • base_ptr doe_ptr
  • else
  • base_ptr start_ptr

69
  • depth end_ptr - base_ptr
  • / you should only see this on empty packets /
  • if (depth lt 1)
  • return 0
  • if(!inBounds(start_ptr, end_ptr, base_ptr))
  • doe_ptr NULL
  • return 0

70
  • rc pcre_exec(
  • pcre_data-gtre, / result
    of pcre_compile() /
  • pcre_data-gtpe, / result
    of pcre_study() /
  • base_ptr, / the
    subject string /
  • depth, / the
    length of the subject string /
  • 0, / start at
    offset 0 in the subject /
  • pcre_data-gtmatch_flags, / execute
    option flags /
  • ovector, / vector
    for substring information /
  • SNORT_PCRE_OVECTOR_SIZE) / number
    of elements in the vector /
  • if (rc lt 0) / pcre failed, so
    return 0 /
  • return 0
  • else
  • /
  • The second int in our ovector is the
    offset for the last pattern
  • match. So we move the doe_ptr that
    many forwards.
  • /
  • doe_ptr ovector1

71
  • /
  • even though we don't really care about
    the doe_ptr, we
  • check the doe_ptr anyways just in case
    other people suck
  • and don't bother to do this either.
  • /
  • if(!inBounds(start_ptr, end_ptr,
    doe_ptr))
  • DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_
    MATCH,
  • "pcre bounds check
    failed.\n"))
  • doe_ptr NULL
  • DEBUG_WRAP(DebugMessage(DEBUG_PATTERN_MATC
    H,
  • "pcre doe_ptr set to p
    (d)\n", doe_ptr, doe_ptr))
  • return fp_list-gtnext-gtOptTestFunc(p, otn,
    fp_list-gtnext)
Write a Comment
User Comments (0)
About PowerShow.com