Hi, Just a call for testers really. I've just incorporated N.A.D.S. (Normalized Attack Detection System) in to firestorm. The code is available in the HTTP snapshot at: http://www.scaramanga.co.uk/firestorm/firestorm-snapshot.tar.gz What the code does is to normalize HTTP requests so that signatures can be more accurately matched. It can also detect certain anomalies or suspicious behaivour in the URL (such as attempting to traverse outside the webroot). The system can also emulate different webservers when performing the normalization, as different webservers handle things in different ways. Currently the emulation setting is configured globally but this will change. To get the code running just add ONE of the following lines to your firestorm.conf: preprocessor http_normalize emulate='IIS' preprocessor http_normalize emulate='Apache' In future, emulation will be configured on a per host basis, and even automatically detected via 'Server' headers (which is quite a simple change, but will mean that the first request might be normalized incorrectly). Also planning on adding an 'http_server_type', 'http_host', 'uriquerycontent' and other such criteria for snort rules. It currently normalizes the following IDS evasion techniques: o HTTP decoder now strips out query string and host header o Hex encoding (including double hex encoding) o MS UTF-16 (%uNNNN) o Overlong UTF-8 encodings o Double slashes o Backslashes o Case normalization o . and .. normalized out (eg /./foo/../bar/ becomes /bar/) Here is an example. The URL starts like this (unicode exploit caught in the wild): /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe Then it gets hex decoded: /msadc/..%5c../..%5c../..%5c/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe Then it gets hex decoded again (the emulation type is set to IIS). /msadc/..\../..\../..\/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe Then overlong UTF-8 encodings are normalized: /msadc/..\../..\../..\/..\../..\../..\../winnt/system32/cmd.exe Then the path components are normalized: /msadc/../../../../../../../../../../../winnt/system32/cmd.exe Then firestorm alerts due to traversing outside the webroot. Have fun! :) -- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/scaramanga.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Attachment:
signature.asc
Description: This is a digitally signed message part