[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

N.A.D.S. Technology Incorporated in to Firestorm.

To: firestorm@xxxxxxxxxxxxxxxx
Subject: N.A.D.S. Technology Incorporated in to Firestorm.
From: Gianni Tedesco <gianni@xxxxxxxxxxxxxxxx>
Date: Mon, 09 Feb 2004 11:31:20 +0100
Delivered-to: mailing list firestorm@scaramanga.co.uk
Mailing-list: contact firestorm-help@scaramanga.co.uk; run by ezmlm

Hi,

Just a call for testers really. I've just incorporated N.A.D.S.
(Normalized Attack Detection System) in to firestorm. The code is
available in the HTTP snapshot at:

http://www.scaramanga.co.uk/firestorm/firestorm-snapshot.tar.gz

What the code does is to normalize HTTP requests so that signatures can
be more accurately matched. It can also detect certain anomalies or
suspicious behaivour in the URL (such as attempting to traverse outside
the webroot).

The system can also emulate different webservers when performing the
normalization, as different webservers handle things in different ways.
Currently the emulation setting is configured globally but this will
change.

To get the code running just add ONE of the following lines to your
firestorm.conf:

preprocessor http_normalize emulate='IIS'
preprocessor http_normalize emulate='Apache'

In future, emulation will be configured on a per host basis, and even
automatically detected via 'Server' headers (which is quite a simple
change, but will mean that the first request might be normalized
incorrectly). Also planning on adding an 'http_server_type',
'http_host', 'uriquerycontent' and other such criteria for snort rules.

It currently normalizes the following IDS evasion techniques:
o HTTP decoder now strips out query string and host header
o Hex encoding (including double hex encoding)
o MS UTF-16 (%uNNNN)
o Overlong UTF-8 encodings
o Double slashes
o Backslashes
o Case normalization
o . and .. normalized out (eg /./foo/../bar/ becomes /bar/)

Here is an example. The URL starts like this (unicode exploit caught in
the wild):

/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe

Then it gets hex decoded:

/msadc/..%5c../..%5c../..%5c/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe

Then it gets hex decoded again (the emulation type is set to IIS).

/msadc/..\../..\../..\/..Á^\../..Á^\../..Á^\../winnt/system32/cmd.exe

Then overlong UTF-8 encodings are normalized:

/msadc/..\../..\../..\/..\../..\../..\../winnt/system32/cmd.exe

Then the path components are normalized:

/msadc/../../../../../../../../../../../winnt/system32/cmd.exe

Then firestorm alerts due to traversing outside the webroot.

Have fun! :)

--
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/scaramanga.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: N.A.D.S. Technology Incorporated in to Firestorm.
  - From: John Leach

Prev by Date: Ethereal as an IDS Interface: update (0.10.0)
Next by Date: Re: N.A.D.S. Technology Incorporated in to Firestorm.
Previous by thread: Ethereal as an IDS Interface: update (0.10.0)
Next by thread: Re: N.A.D.S. Technology Incorporated in to Firestorm.
Index(es):
- Date
- Thread