Suspicious Traffic; Server Messages; Indirect Signatures - Enterasys Intrusion Prevention System Manual

Signature Overview
A good example of this is the PHF attack. Normally, an attack against older web servers could be
accomplished by sending specially formatted argument strings to the /cgi-bin/phf program which,
at one point, shipped with many common web servers. There are hundreds of permutations
which may all be based on the /cgi-bin/phf program and each of these attacks or probes reference
that URL. Programming the Network Sensor to look for /cgi-bin/phf in all port 80 server traffic
detects a wide variety of web probes and attacks.

Suspicious Traffic

Unlike the usage signatures, the suspicious signatures focus on data that should not be present in
various network sessions. This data is much more generic and there is no direct correlation to a
specific attack. Several very good examples of these signatures exist.
First, consider almost any CGI-BIN attack program. They inevitably run commands on target
machines. Often they make use of programs such as /bin/cat, /bin/id, and /bin/mail. As these
programs do not occur in normal web traffic, merely searching for these occurrences may indicate
a web attack of some kind.
Second, consider protocols such as FTP and SMTP. Typically, these protocols are entirely ASCII
based. All file transfer is with the 7-bit printable character set. Almost all buffer overflows to these
services can be detected by looking for long strings of binary data.

Server Messages

Many times attacks are known, but it is easier to look for them in the return traffic from a server.
Consider some unknown protocol that after 10 failed login attempts, issues the message, Login
Unsuccessful - Account Closed. Instead of searching for all 10 login failure attempts, correlating
them to a unique period of time, this single message could be searched for. Also, the responses to
network attacks can be analyzed in real time. If a buffer overflow drops a network session to a
BASH shell prompt, signatures can be written to look for that occurrence.

Indirect Signatures

The last type of signatures discussed here are the indirect signatures. These signatures search for
network patterns that may indirectly indicate some form of network misuse or system
compromise.
An example of this was the Attrition mirror of defaced web sites. (They no longer mirror defaced
web sites.) They maintained a custom web crawler that attempted to retain the original copy of a
hacked web site. While downloading the web site, the web crawler passed several web client
parameters to the web server. Many of these parameters included messages such as If you see
this, your site may have been compromised. You could conclude indirectly from this statement
that the only reason the Attrition web crawler has visited your site was because at least one site
has been defaced.
3-2 Creating Network Sensor Signatures