![]() |
|
L0pht / NFR IDS Modules sili@L0pht.com mudge@L0pht.comThe Preface :Not to long ago, a company called NFR released a package entitled Network Flight Recorder. The tool promiscuously monitors your network and provides a framework for analyzing, reporting, and modeling the traffic that it sees. While not initially designed as an Intrusion Detection System, the functionality is there to at least the same degree as products on the market explicitly designed as such. In many cases NFR is much more reliable in the IDS realm than the other commercial IDS’ out there. This coupled with the fact that source code for NFR was made publicly available piqued our curiosity. The problem :Sitting on the nfr-users mailing list it became readily apparent that there was a lack of sample code available to the public that demonstrated IDS style functionality for NFR. The solution :So in playing around with NFR and N-Code (the scripting language for the filters) language we threw together a few quick samples which we are happy to offer back to the community. The Disclaimer :This is just educational material. You are free to use these samples in any fashion you deem fit as long as proper credit/attribution is maintained. We, the L0pht, take no responsibility or liability for said samples. The Warez :Back Orifice Detector This module detects patterns that happen within Back Orifice client/server communications. This module does not rely on the poor encryption technique used in BO. We believe this is the best Back Orifice detection tool out there - plus it is free and you get the source code. What more could one want?bo.nfr - the actual Back Orifice module N-Code bo.cfg - the NFR config file for the BO module bo.desc - the NFR description file for the BO module Big Packet Detector Huge packets on your network? Potential denial of service attack underway. Use this module to spot them.bigpacket.nfr - the actual Big Packet module N-Code bigpacket.cfg - the NFR config file for the Big Packet module bigpacket.desc - the NFR description file for the Big Packet module DNS Iquery Exploit logger The net as a whole has been getting knocked over left and right due to the buffer overflow in bind versions. This module watches for Iquery requests going to TCP port 53. The RoTSB exploit always uses a query ID of 31337 so this is parsed for as well.iquery.nfr - the actual iquery module N-Code iquery.cfg - the NFR config file for the iquery module iquery.desc - the NFR description file for the iquery module Lockd and NFS This module looks for NFS service requests (service 100003) going to port 4045 (lockd). Silicosis must have been playing with the customized nfs-shell that mudge did. hrmmmmm...lockd.nfr - the actual lockd module N-Code lockd.cfg - the NFR config file for the lockd module lockd.desc - the NFR description file for the lockd module OOB (WinNuke) Module This module looks for the Urgent Pointer == 3, which causes Windows NT and 95 boxes of various patch levels to crash. Commonly referred to as winnuke.oob.nfr - the actual OOB module N-Code oob.cfg - the NFR config file for the OOB module oob.desc - the NFR description file for the OOB module Statd Exploit Watcher Two very common and widely used exploits are watched for here. The remote shell exploit (tcp)and the link and unlink of files (udp).statd.nfr - the actual statd module N-Code statd.cfg - the NFR config file for the statd module statd.desc - the NFR description file for the statd module rpc.ttdbserverd Exploit Detector This module looks for a buffer overflow being exploited in Solaris. A widely publicized exploit is available so maybe it is not such a bad idea to start looking for it.ttdb.nfr - the actual ttdbserverd module N-Code ttdb.cfg - the NFR config file for the ttdbserverd module ttdb.desc - the NFR description file for the ttdbserverd module Malicious web queries the badweb modules look for requests that indicate malicious activity or attempts to exploit known cgi/http vulnerabilities. Current maliciousness watched for includes:badweb.nfr - the actual badweb module N-Code badweb.cfg - the NFR config file for the badweb module badweb.desc - the NFR description file for the badweb module
finger watcher - the finger module simply watches and logs finger requests. It becomes interesting to see who is looking at the users on your machines or if people are doing finger bounces / old finger style attacks.finger.nfr - the actual finger module N-Code finger.cfg - the NFR config file for the finger module finger.desc - the NFR description file for the finger module
external arp requests - the ext_arp_inside module looks for arp requests asking the response to be sent to an IP address not on the "internal" network(s). This backend accomplishes this by watching for machines being brought up on the wrong networks or potential strange homings of nets/hosts. One of the theories is that when the system first comes live it will gratuitously arp for itself (although Solaris is one of the few systems that does not do this). Another theory is that if another network stub is mis-attached, potentially between network legs that are treated at disparate security levels, you might see arps for a different net’s router with an external network IP in the arp packet.ext_arp_inside.nfr - the actual ext_arp module N-Code ext_arp_inside.cfg - the NFR config file for the ext_arp module ext_arp_inside.desc - the NFR description file for the ext_arp module
external networks watcher - This backend watches for external IP addresses initiating connections across your local wire. Suppose you have an internal network setup where you allow people to initiate connections to the outside world but do not allow externally initiated connections to terminate on internal machines (ESTABLISHED in cisco lingo, or maybe some statefull filter like FW1, or ip-fil). Seeing TCP connections from external networks destined to internal machines with the SYN flag set in these situations would indicate a break in perimiter security. In addition, packets with SYN and any other tcp flags set except for RST are flagged as well. This is due to end systems handling them in different ways - to wit: Microsoft NT treats a SYN|FIN as a raw SYN and happily returns a SYN|ACK. This should alert you of more sophisticated attempts to circumvent filters.ext_net_inside.nfr - the actual ext-net watcher module N-code ext_net_inside.cfg - the NFR config file for the ext-net watcher module ext_net_inside.desc - the NFR description file for the ext-net watcher module
land - This backend watches for land packets. These are packets with the same source and dest IP addresses. This should never be seen in the wild. Upon logging it records the ether address so you can hunt down the offender (that is if you are not passing it through your router… tsk tsk tsk!)land.nfr - the acutal land module N-code land.cfg - the NFR config file for the land module land.desc - the NFR description file for the land module
rip1 - This backend watches what is being advertised via RIP Version 1. This is advantageous when users "accidentally" dual home internal and external networks and bring their machines live running routed.rip1.nfr - the actual rip1 module N-Code rip1.cfg - the NFR config file for the rip1 module rip1.desc - the NFR description file for the rip1 module
rip2 - This backend watches what is being advertised via RIP Version 2. Again, the belief being people should watch for routes being advertised into or out of their network that they are unaware of.rip2.nfr - the actual rip2 module N-Code rip2.cfg - the NFR config file for the rip2 module rip2.desc - the NFR description file for the rip2 module
X-Mas Tree Packet Watcher - This backend looks for packets with ALL tcp flags set (ie SYN|FIN|URG|ACK|RST|PSH). These packets should not exist in normal traffic and are almost always endemic of Denial of Service attacks.xmastree.nfr - the actual xmastree module N-Code xmastree.cfg - the NFR config file for the xmastree module xmastree.desc - the NFR description file for the xmastree module xoutside - This backend watches for what appear to be X connections initiated from internal networks directed to external networks. This could be a potential security concern in attempts to bypass statefull packet filters or if only encrypted and authenticated connections are allowed to internal networks and people are pointing unencrypted X sessions outside.xoutside.nfr - the actual xoutside module N-Code xoutside.cfg - the NFR config file for the xoutside module xoutside.desc - the NFR description file for the xoutside module Conclusion :Welp – hope people find some of this useful. Enjoy! mudge@l0pht.com |