Enterasys Intrusion Prevention System Manual page 146

Signature Overview
Default Installs
It can be very useful to look for default installations of a variety of network services such as web
servers. Any default "It worked" web pages originating from your network may be worth
investigating. The Enterasys IPS signature library should include some examples of these
signatures, but various commercial web servers may not have been incorporated.
Look for Backdoors
Everyone wants to find backdoors. They indicate that a break-in has occurred and is in use. Here
are some suggestions that can be used to discover backdoor activity in addition to the backdoor
signatures.
High-Port Detection
Looking for any suspicious TCP sessions that occur on high ports can be used to identify
compromised servers. It is very common for hackers to install network software that allows them
to connect to the remote box at a later time. This is accomplished by looking at TCP traffic for
Syn-Ack packets that only occur when a server responds to a client. Watching for these "new"
services on your network can indicate a possible break-in. Additionally, logging these Syn-Acks to
your network can be used to identify someone inside your network connecting to a high port
someplace else.
Long SSH Sessions
SSH can be used as a temporary VPN. Looking for START and STOP messages on port 22 can
indicate the length of an SSH session. If the session occurred over a long period of time, or if it
transferred a lot of data, this can indicate a hacker who is using SSH to maintain remote access to a
network. It can also indicate an administrator abusing a security policy. Determining the amount
of data transferred in a TCP session can be accomplished by analyzing the initial and final
sequence numbers.
Off-Port Servers
Enterasys IPS signatures can be written to look for almost any service on the wrong port. A
common hacker (or malicious administrator) technique is to run services such as HTTP, FTP, and
SSH on ports other than their standard port number. For example, many WAREZ FTP servers run
on TCP port 69. Simple signatures can be deployed to discover these off-port services that should
be considered backdoors.
Suspicious Command Execution
When an attacker has successfully exploited a software vulnerability, and has achieved an
elevated privilege, it is commonly the case that the attacker makes use of various system tools to
verify that the desired level of access has actually been achieved or can be used. Good examples of
Enterasys IPS signatures designed to detect such activity include the COMP:WIN-2K3 signature
which detects command shell execution on a Windows 2003 server, and the COMP:ROOT-TCP
signature which detects the output of the UNIX "id" command indicating that the current user ID
is root. Also, additional steps an attacker may take are to compile new binaries and/or change
permissions on certain system files to be favorable to re-entry.
Examples of signatures designed to detect such activity include the GENERIC:SHELL-SETUID-
UDP, GENERIC:SHELL-SETUID-TCP, and GCC:COMPILE-WARNING signatures. The Enterasys
IPS signature set has many signatures that are designed to not only detect specific attacks, but also
the likely follow-on effects of such attacks.
3-4 Creating Network Sensor Signatures