Tips For Creating Signatures - Enterasys Intrusion Prevention System Manual

Tips for Creating Signatures

The best suggestion for writing signatures is to do your best to limit the number of signatures
needed to accomplish your goals. Some ideas are to consider your platform. For example, on a
UNIX platform, there is no need for signatures that look for IIS. Write generic signatures that look
for references to /cgi-bin/ and keywords such as /etc/passwd, /etc/group, /bin/mail and
xterm-display. Other configurations could search for combinations of /cgi-bin/ and hex escape
characters, such as %20 and %0a. Keeping this frame of mind when developing signatures can
help optimize performance. Additional signature suggestions are described below.
Look for CGI Probes
Look for Smart CGI Probes
Many web-based attacks target UNIX servers with CGI-BIN programs. Almost all of these attacks
cause a script to execute some sort of commands. This is usually accomplished by passing
unanticipated arguments and parameters containing shell escape characters, target programs, and
target files to a CGI-BIN script. In short, write generic signatures that look for references to /cgi-
bin/ and keywords such as /etc/passwd, /etc/group, /bin/mail, and xterm-display. Other
configurations could search for combinations of /cgi-bin/ and hex escape characters, such as %20
and %0a.
Look for Failed CGI Probes
Watching for any 404 failed web requests which also contain a reference to /cgi-bin/ may indicate a
broken CGI-BIN program, or a probe to a non-existing CGI script.
Honey-pot CGI and SCRIPTS Directories
For UNIX and IIS web servers, it may be useful to rename the CGI-BIN or SCRIPTS directory to
something else. A savvy hacker will quickly determine the new name from analyzing a live web
server, but automated tools will fail. Any request to either original directory will be quickly
determined.
Look for Administrator Access
Every network has a variety of administrator access that is performed from authorized locations.
Monitoring for deviations from this "normal" activity or security policy can be very interesting.
Here are some examples.
Consider SNMP. SNMP is a UDP protocol that is used to monitor large numbers of network
devices. Typically, SNMP packets are sent within a Protected network. For Network Sensors on
the perimeter of such a network, it may be worthwhile to ignore SNMP traffic from valid SNMP
servers and only log what is left behind. If a Network Sensor is placed on the inside of a network,
modifying the Enterasys IPS signatures to look for packets that are inbound may also be
worthwhile.
TFTP is another type of protocol used in the management of routers and phone switches. Using
Enterasys IPS to watch for any traffic to these devices that is not from a known or trusted source
may turn up a variety of interesting traffic.
Many network servers have become web enabled and have corresponding "administrator" pages.
Detecting these features on your network is a matter of inventory, but once they are identified,
signatures can be constructed to help detect remote and possibly unauthorized access.
Creating Network Sensor Policies and Signatures 3-3
Signature Overview