Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS with Case-Based Reasoning

from [Harper, Patrick] Network Security [Permanent Link]
Subject: RE: IDS with Case-Based Reasoning
Date: Wed, 31 Aug 2005 11:19:37 -0500 
http://www.tcpdump.org/tcpdump_man.html

For tcpdump -  Possible protos are: ether, fddi, tr, ip, ip6, arp,
rarp,  decnet,  tcp and  udp.   


-----Original Message-----
From: Israel [mailto:israel@ditech.com.br] 
Sent: Wednesday, August 31, 2005 7:46 AM
To: focus-ids@securityfocus.com
Subject: Re: IDS with Case-Based Reasoning



Hi,

It's easy if you know the protocol to be converted. Only use a C 
structure and write the corresponding snort rules 
into respective 
position. Empty positions can be filled with fake values, because if it 
was important would be in rule. It's irrelevant.

Example:

alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC
trojan scan"; ack:101058054; flags:A,12; seq:101058054; flow:stateless;
reference:arachnids,445; classtype:misc-activity; sid:106; rev:8;)



Fill TCP destination port with 1054, source port with 80, the tcp ack 
with 101058054, on ack flag, seq with 101058054.
Fill the others fields with fake values. dst IP and src IP can be filled

with 192.168.0.1, by example.


Some ways exist to capture real packets. Tcpdump is a good way, but 
capture only tcp.
I'm using libpcap, a C library, and I had good results.


[]'s

Israel


Sanjay Rawat wrote:


Hi Israel:
ok. it sounds well. but why do you want snort rules to be converted 
into corresponding network packets? i may be missing something here. 
it is also possible to take the tcpdump files corresponding to attacks



and use TcpReplay tool to inject those packets. then see which snort 
rules get triggered. in this way, you will come to know the traffic 
corresponding to (required) rules. Am I sounding some sense?

regards
Sanjay



At 07:43 PM 8/25/2005, Israel wrote:


Hi,

In the beginning, I will use some known attacks logs, generated by 
known scans, how nmap, fingerprint and analyzing the TCP packet 
content. The strings in content are good attack indication.
"wget%20" ,  "/bin/sh" are common strings used in server pages

attacks.

Common signatures can be found in snort rules. We can build malicious



network packets to use in repository.

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 
overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; 
reference:bugtraq,2347; reference:cve,2001-0144; 
reference:cve,2001-0572; classtype:shellcode-detect; sid:1324;

rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 
overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 
90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; 
reference:cve,2001-0144; reference:cve,2001-0572; 
classtype:shellcode-detect; sid:1326; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 
overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 
18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; 
reference:bugtraq,2347; reference:cve,2001-0144; 
reference:cve,2001-0572; classtype:shellcode-detect; sid:1327;

rev:7;)


It's some examples found in exploit.rules file.
Currently, I need somebody make a module that converts rules of snort



to real network packets.

=)

Icya


Sanjay Rawat wrote:


Hi Israel:
This is Sanjay. Its nice to hear about your project, based on CBR. i



will be happy to participate in discussion on points/problems, which



you may face during the project. to my understanding, the main issue



in CBR is to represent the known cases (in your case, attacks) in an



effective manner. I find good theoretical papers, but less real-life



implementations of CBR. Most of the applications are from medical 
side. There are couple of papers, suggesting the use of CBR in IDS 
(i dont remember the references at present, probably some googling 
will do that). which attack repository, are you going to use- DARPA?

best wishes and regards
Sanjay

At 08:13 PM 8/24/2005, Israel wrote:


Hello,

I'm developing a IDS project in my computer science graduation.
It will be use Case-Based Reasoning and handle a repository with 
the malicious network log to generate responses.
The libpcap is used to capture a network trafic.
Have you suggestions to implementation?
The software is under GPL license and I would like to invite 
interested peoples to program.

Thanx

Israel Rocha




------------------------------------------------------------------------



Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks 
from CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.


------------------------------------------------------------------------






Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com









------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks 
from CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to



learn more.


------------------------------------------------------------------------




Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com









------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


-----------------------------------------
Disclaimer:
This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure,
dissemination, use or reproduction is strictly prohibited. If you have
received this message in error, please delete it and notify the sender
immediately.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Useful NADS, Andrew Plato
Next by Thread:  Re: IDS with Case-Based Reasoning, john . a
Indexes:  [Date] [Thread] [Top] [All Lists]