Extending snort, without knowing C for dirt

About This Presentation

Title:

Extending snort, without knowing C for dirt

Description:

Co-author of one of the plugins discussed in this presentation ... Buy flak jackets to save us from the rest of the Snort developers. Ok, that's it. Thanks ... – PowerPoint PPT presentation

Number of Views:198

Avg rating:3.0/5.0

Slides: 72

Provided by: tri5428

Category:

more less

Transcript and Presenter's Notes

Title: Extending snort, without knowing C for dirt

1
Extending snort, without knowing C for dirt

Brian Caswell

2
Thanks

Jeff Nathan (jeff_at_snort.org)
Co-author of one of the plugins discussed in this
presentation
Co-author of any number of slides for this
presentation
Sourcefire (http//www.sourcefire.com)
Paying me to work on snort
Michelle (my wife)
Who let me skip out on watching our son and new
puppy to give this presentation

3
The life of a packet through Snorts detection
engine
4
Overview of protocol decoding and protocol
anomaly detection

Static Decoders
Normalization of Data

5
Recent detection improvements

Advanced content options (distance, within,
byte_test and byte_jump)
All purpose state engine (conversation)
Improved message passing between components

6
Distance

contentSITE contentEXEC distance0

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
7
Distance

contentSITE contentEXEC distance0

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
8
Distance

contentSITE contentEXEC distance0

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
9
Distance

contentSITE contentEXEC distance0

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
10
Within

contentSITE content!0a within50

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
11
Within

contentSITE content!0a within50

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
12
Within

contentSITE content!0a within50

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
13
Within

contentSITE content!0a within50

53 49 54 45 20 20 20 20 20 45 58 45 43 20 65
76 SITE EXEC ev 69 6C 66 6F 6F 0A
ilfoo.
14
Byte Test

content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
15
Byte Test

content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
16
Byte Test

content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
17
Byte Test

content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
18
Byte Test

content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
19
Byte Test

content" LSUB 22" content"22 "
distance0 byte_test5,gt,256,0,string,dec,relativ
e

31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
20
Byte Jump

content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative

00 00 0F 9C 36 51 D5 2B 00 00 00 00 00 00 00 02
....6Q......... 00 01 86 F3 00 00 00 01 00 00 00
07 00 00 00 01 ................ 00 00 00 20 37
5E D1 6A 00 00 00 09 6C 6F 63 61 ...
7.j....loca 6C 68 6F 73 74 00 00 00 00 00 00 00
00 00 00 00 lhost........... 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0F FF ................ 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 AAAAAAAAAAAAAAAA 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
21
Byte Jump

content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative

content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative

content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative

content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative

content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative

content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative

content"00 00 00 00" offset8 depth4
content"00 01 86 F3" offset16 depth4
content"00 00 00 07" distance4 within4
byte_jump4,4,relative,align byte_jump4,4,relati
ve,align byte_test4,gt,128,0,relative

Advantages
Relatively Fast
State-based implementations

Disadvantages
Users are not programmers
Requires recompilation of the entire system
Requires specific knowledge of the protocol (in
addition to Snort)

29
The promise of advanced rules

A quicker development cycle for discrete protocol
anomaly detection
Only requires knowledge of Snorts rule language
and the protocol itself
NO NEED TO LEARN C

30
Where existing advanced rules and preprocessors
fall short

New preprocessors can require significant
development time
Preprocessors rely on Snorts pattern matching
for detection of normalized data
No advanced constructs (loops, regex, and data
munging)
Not all vulnerabilities can be covered with
advanced rules and existing preprocessors

31
(No Transcript)
32
A new solution sp_perl

Two new detection keywords
perlre provides real regular expressions
perl provides runtime evaluation of virtually
any perl code

33
sp_perl, are we nuts?

Extensibility through perl
No additional CPU cost for non-perl rules
Rapid updates to Snorts detection capabilities
without re-implementing N-CODE

34
OK, so were nuts. How does this actually work?

Create an embedded perl interpreter
Parse all the rules and store perl data for later
When a perl rule option is triggered
Push the rule, payload, and IP data onto the
perl stack
Eval the perl rule
Check the return code of eval

35
Embedded perl

PerlInterpreter my_perl perl_alloc()
perl_construct(my_perl)
perl_parse(my_perl, NULL, 2, perl_cmdline_opts,
NULL)
perl_run(my_perl)
perl_destruct(my_perl)
perl_free(my_perl)

36
OK, but how does that work inside of Snort?

SetupPerlKungFoo()
Verifies the file with our perl functions is
there
Registers our keywords as valid detection options
Allocates a runtime perl interpreter
Initializes the perl stack for our runtime
interpreter
Parses our perl file to get our functions into
the runtime environment
Stores the persistent data specific to sp_perl in
the OptTreeNode(s)

37
sp_perl, what the ugly C does

Calls perl_regex with the pattern, type of test
(perl vs perlre), along with the packet
Pushes args onto a local copy of the perl stack,
then replace the global perl stack with our stack
Calls the appropriate perl function using the new
global perl stack
Pops the return code from the perl stack, convert
to an integer
Returns the next test on the OptTreeNode on
success, otherwise 0

38
Example Rules
39
IMAP LSUB Buffer Overflow

CAN-2000-0284
11/11-104541.482210 172.16.2.13033012 -gt
10.2.2.250143
AP Seq 0x6F578C60 Ack 0xFE6E84A1 Win
0x16D0 TcpLen 32
31 20 4C 53 55 42 20 22 22 20 7B 31 30 36 34 7D
1 LSUB "" 1064
0D 0A
..
11/11-104541.482699 10.2.2.250143 -gt
172.16.2.13033012
AP Seq 0xFE6E84A1 Ack 0x6F578C72 Win
0x7BFC TcpLen 32
TCP Options (3) gt NOP NOP TS 26213694 338288987
2B 20 52 65 61 64 79 20 66 6F 72 20 61 72 67 75
Ready for argu
6D 65 6E 74 0D 0A
ment..
11/11-104541.483459 172.16.2.13033012 -gt
10.2.2.250143
AP Seq 0x6F578C72 Ack 0xFE6E84B7 Win
0x16D0 TcpLen 32
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
................

40
IMAP LSUB Buffer Overflow, continued

Our content
1 LSUB 1064\r\nSHELLCODEHERE
So how do we detect this?
Regex
Regex and some math

41
IMAP LSUB Buffer Overflow, regex

1 LSUB 1064\r\nSHELLCODEHERE
Regex
\w\sLSUB\s"\s\d4,

42
IMAP LSUB Buffer Overflow, regex and some math

1 LSUB 1064\r\nSHELLCODEHERE
Regex
\w\sLSUB\s"\s(\d)
Math
1 gt 1000

43
IMAP LSUB Buffer Overflow, the rules

alert ip any any -gt any any (perlre/\w\sLSUB\s
"\s\d4,/)
alert ip any any -gt any any (perl"content
/\w\sLSUB\s"\s(\d)/\ 1 gt
1000")

44
IMAP LSUB Buffer Overflow, the optimized rules

alert tcp any any -gt any 143 (flowto_server,estab
lished contentLSUB perlre/\w\sLSUB\s
"\s\d4,/)
alert tcp any any -gt any 143 (flowto_server,estab
lished contentLSUB perl"content
/\w\sLSUB\s"\s(\d)/\ 1 gt
1000")

45
FTP Port Bounce

CVE-1999-0017
12/31--50000.007051 10.1.1.2543161 -gt
10.1.1.11321
AP Seq 0x4FE9C1C4 Ack 0x1E001761 Win
0x7D78 TcpLen 32
70 6F 72 74 20 31 37 32 2C 31 36 2C 30 2C 33 32
port 172,16,0,32
2C 31 32 2C 37 32 0A
,12,72.

46
FTP Port Bounce, continued

Our content
port 172,16,0,32,12,72\n
So how do we detect this?
Regex and some perl

47
FTP Port Bounce, regex and some perl

port 172,16,0,32,12,72
Regex
content /port\s(\d),(\d),(\d),(\d)/
The Perl
srcip ne 1.'.'.2.'.'.3.'.'.4

48
FTP Port Bounce, the rules

alert tcp any any -gt any 21 ( flowto_server,estab
lished contentport nocase perl"content
/port\s(\d),(\d),(\d),(\d)/i srcip ne
1.'.'.2.'.'.3.'.'.4")

49
HTTP Unknown Version

04/06-200412.457297 10.200.1.10033599 -gt
66.35.250.15080
TCP TTL64 TOS0x0 ID58321 IpLen20 DgmLen56 DF
AP Seq 0xDD594D3E Ack 0xAEE Win 0x1490
TcpLen 20
47 45 54 20 2F 20 48 54 54 50 2F 30 2E 32 0A 0A
GET / HTTP/0.2..

50
HTTP Unknown Version, continued

Our content
GET / HTTP/0.2\n\n
So how do we detect this?
Regex
Regex and some perl

51
HTTP Unknown Version, regex

GET / HTTP/0.2\n\n
Regex
\sHTTP/(0\.91\.11\.0)\r0,1\n

52
HTTP Unknown Version, regex and some perl

GET / HTTP/0.2\n\n
Regex
\sHTTP/(\n)\n
Perl
1 ne '1.1' 1 ne '1.0' 1 ne '0.9'

53
HTTP Unknown Version, the rules

alert tcp any any -gt any 80 (flowto_server,establ
ished contentHTTP perlre\sHTTP/(0\.91\.11
\.0)\r0,1\n)
alert tcp any any -gt any 80 (flowto_server,establ
ished contentHTTP perl"content !
HTTP/(.3)! 1 ne '1.1' 1 ne '1.0' 1
ne '0.9'")

54
Even more advanced foo

So, you want one or two specific rules to email
you when they fire.
Add this to snort.pl
sub insane
my (srcip,content) _at__
use NetSMTP
my server "mail.server.com" my email
"perlfoo\_at_snort.org"
my smtp NetSMTP-gtnew(server) die
"Can't connect to mail server"
smtp-gtmail(from) smtp-gtto(to)
smtp-gtdata()
smtp-gtdatasend("To email\nFrom email\n")
smtp-gtdatasend("Subject perl alert - srcip
srcip\n\ncontent\n")
smtp-gtdataend() smtp-gtquit()
Then use it in your rule
insane(srcip,content)

55
Whats wrong with sp_perl

Slow. Eval kills us
Embedding perl. Yes, thats nuts
No method to make sure our users didnt write
dumb code

56
Another solution, pcre

Perl style compatible regular expressions
70 of the perl win without perl
Decently fast
Only took about an hour to hook in ?

57
PCRE? How does that work?

Call pcre_compile with re and compile time flags
Call pcre_study to optimize the re
For each packet, call pcre_exec with our re,
study data, run time flags, and our payload
Check the return code of pcre_exec

58
PCRE compile time flags

Anchored
Just like using
Nocase
case insensitive
eos_matches_on_eos_only
Make look for the end of the string, not each
EOL
dot_includes_newline
Without it . wont match on \n (very useful in
combination with multiline)
Multiline
Treat the packet as one big line of characters
so and match on the beginning of the
packet and end of the packet
not_greedy
Dont try and match as many times as possible,
just give us the minimum (not compatable with
perl)
Utf8
Treat both the pattern and packet as strings of
utf8 characters

59
PCRE run time flags

not_begining_of_line
The first character of the payload isnt the
beginning of a line (changes how works)
not_eol
The end of the string isnt by default an end of
a line (Changes how works)
not_empty
An empty string can be a valid match (if it
passes all the re)
relative
Match relative to the end of the last content
match (like using distance0)
dump_config
Dump out the configuration for each pcre after it
is built

60
PCRE vs IMAP LSUB Buffer Overflow

1 LSUB 1064\r\nSHELLCODEHERE
alert tcp any any -gt any 143 (flowto_server,estab
lished pcre\w\sLSUB\s\\\\s\d4,
, nocase)

61
Future Work with sp_perl

Figure out how to pass the entire packet struct
in and out of perl
Add in relative matching
Create anonymous subroutines for each perl call,
which gets us out of having to eval
Instead of raw perl, use swig
Buy flak jackets to save us from the rest of the
Snort developers

62
Ok, thats it. Thanks