Malware Forge

I'm currently working on developing the next Honeynet Forensics Challenge which hopefully will be released soon. Unlike the previous challenges this year, this one will have a focus on memory forensics. I look forward to some interesting and in depth solutions submitted. Once the challenge is finished, I will post it up on the Honeynet web site as well as here.

After some work, I have committed a patch to the Rule2Alert svn. When first run, Rule2Alert will display its help menu seen below:

famousjs@youbantoo:~/rule2alert$ sudo python r2a.py
Usage: python r2a.py [-vt] -f rule_file -c snort_config -w pcap

Options:
-h, --help show this help message and exit
-f RULE_FILE Read in snort rule file
-c SNORT_CONF Read in snort configuration file
-w PCAP Name of pcap file
-v Verbose hex output of raw alert
-t Test rule against current snort configuration
-m HOMENET Set $HOME_NET IP Address
-e EXTNET Set $EXTERNAL_NET IP Address

Rule2Alert now allows setting of the HOME_NET and EXTERNAL_NET variables via arguments. These variables will be used when crafting the packets. If using these options with the "-t" switch, the variables will have to conform to the networks set in the snort.conf file. If they "-m" or "-e" flags are not set, Rule2Alert will fill these variables in based off snort.conf.

The results of loading in emerging-all.rules are seen below (Not all Output Shown):

famousjs@youbantoo:~/rule2alert$ sudo python r2a.py -c /etc/snort/snort.conf -f /etc/snort/rules/emerging-all.rules -w emerging-all.pcap -t
Building Rule: 2004206
Building Rule: 2009700
Building Rule: 2002170
...
...
Loaded 7802 rules successfully!
Writing packets to pcap...
Running snort test...
Alerted on 972 rules
Failed to alert on 6830 rules

--------

This output can be verified by running snort and reading in the created pcap:

famousjs@youbantoo:~/rule2alert$ snort -c /etc/snort/snort.conf -K none -q -A console -r emerging-all.pcap | wc -l
command line overrides rules file alert plugin!
command line overrides rules file logging plugin!
1080

There are actually 1080 alerts in the pcap, however some are duplicates which Rule2Alert does not report. Rule2Alert now also has integrated a Reverse-Regex class written Blake (JsUnpack) that attempts to generate content matches for pcre content sections.

The Honeynet Project has released their new forensics challenge! This challenge, which was provided by Tillmann Werner from the Giraffe Chapter, involves a packet capture that was taken during a network attack. The task is to analyze the pcap and answer as many questions posted on the Honeynet website posted under the challenge. The new challenge post can be found here:

https://www.honeynet.org/node/504

The Open Information Security Foundation has released the beta version of their multi-threaded Intrusion Detection and Prevention engine known as Suricata. Along with the release of this new engine, they have released the HTP Library. This library is an HTTP normalizer and parser written by Ivan Ristic (mod_security). Thank you to all of the OISF members who worked night and day on this project!

Some new features of this engine include:
Multi-Threading
Automatic Protocol Detection (keywords like HTTP,TLS,FTP, and SMB)
Gzip Decompression (for HTTP compressed streams)
Standard Input Methods
Unified2 Compatibility
Flow Variables
HTTP Logging Module
Much much more!

I look forward to implementing this new engine in the RIT Honeynet project with our Snort box for comparisons. Again, anyone can download the new engine by visiting the OISF Website.

I have not made a post recently mostly because I have been working on a new project as well as many other things such as school. My new project, which is larger than previous, is called Rule2Alert.

Rule2Alert's goal, is to read in snort rules and generate packets that would make snort produce an alert. It is written entirely in python and utilizes Scapy to craft the packets. It is still under heavy development with myself, Pablo Rincon, and Will Metcalf.

Currently, it is able to generate pcaps based off simple content snort compatible rules. I loaded in the emerging-all.rules file and was able to create a pcap that alerted snort 514 times. The project is not ready to be released yet, but the results look promising so far. This project is currently under the Open Information Security Foundation, as all of the project members are currently working on the new IDS/IPS system Suricata.

The source code can be checked out from here:

http://code.google.com/p/rule2alert/

Example:

test.rule
----------
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)
----------

famousjs@youbantoo:~/rule2alert$ sudo python r2a.py -vt -c /etc/snort/snort.conf -f rules/test.rule -w test.pcap
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www S
Ether / IP / TCP 1.1.1.1:www > 192.168.0.1:9001 SA
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www A
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www PA / Raw

-------- Hex Payload Start ----------
56 24 5a 63 20 20 20 20
20 68 65 79
--------- Hex Payload End -----------

Loaded 1 rules successfully!
Writing packets to pcap...
Successfully alerted on all loaded rules

This entry is based off the research from the following post:

http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three...

I decided to use scapy and snort with my current work to test this theory against a very basic rule.

Here is the real handshake script and pcap:
Real.py
real.pcap

Here is the fake handshake script and pcap:
fake.py
fake.pcap

I used the following rule:

alert any any -> any any (msg:"GET Request"; content:"GET"; http_method; sid:2000000; rev:1;)

Here are my results:

famousjs@youbantoo:~/scapy$ sudo snort -c /etc/snort/snort.conf -A console -q -K none -r real.pcap
11/18-01:21:50.511504 [**] [1:40000008:1] GET Request [**] [Priority: 0] {TCP} 192.168.0.89:9012 -> 72.167.232.144:80
famousjs@youbantoo:~/scapy$

famousjs@youbantoo:~/scapy$ sudo snort -c /etc/snort/snort.conf -A console -q -K none -r fake.pcap
famousjs@youbantoo:~/scapy$

As you can see, only the "real" 3-way handshake alerted through snort.

My previous post briefly went over how you might test snort rules with Scapy. This may be useful if there is an already existing rule, and you don't have any captured traffic to test it against. It may also be useful if you want to learn how snort is looking at each packet so that you might write better snort signatures.

Some of the Snort keywords that can be used for pattern matching, require a full TCP handshake to take place before it can match the pattern. This is a perfect scenario for Scapy. Take the following python script for example:

--------

#!/usr/bin/python
from scapy.all import *

#Set the client and server IPs
client = "192.168.1.1"
server = "192.168.1.75"

#Set the client source port and the server destination port
client_port = 12346
server_port = 80

#Set random initial sequence numbers for the handshake
client_isn = 1954
server_isn = 5018

#Create the SYN Packet
syn_p = Ether()/IP(src=client, dst=server)/TCP(flags="S", sport=client_port, \
dport=server_port, seq=client_isn)

#Create the servers syn-ack response packet
synack_p = Ether()/IP(src=server, dst=client)/TCP(flags="SA", \
sport=server_port, dport=client_port, seq=server_isn, ack=syn_p.ack+1)

#Create our ack for the servers syn-ack
ack_p = Ether()/IP(src=client, dst=server)/TCP(flags="A", sport=client_port, \
dport=server_port, seq=syn_p.seq+1, ack=synack_p.seq+1)

#Now we should have completed the tcp handshake
#We can now craft a packet that would be sent
#From the client to the server as part of the stream

#Lets build our HTTP payload
data = "GET / HTTP/1.1\r\nHost: www.malforge.com\r\n\r\n"

#Build the packet, and throw the http payload right on the end
get_p = Ether()/IP(src=client, dst=server)/TCP(flags="PA", \
sport=client_port, dport=server_port, seq=ack_p.seq, ack=ack_p.ack)/data

p_list = [syn_p, synack_p, ack_p, get_p]

wrpcap("handshake.pcap", p_list)

-------

I recently have been playing around with Scapy as seen in my DNS Spoof script.

If you are learning how to write snort signatures, and have a brief understanding about the layers of a packet, then Scapy is great to start with. For a simple example, if you want to test a content rule with snort looking for the string "Hello", you can create the packet in a Scapy python script like so:

payload = "Hello"
p = Ether()/IP(dst="127.0.0.1")/TCP(sport=581, dport=5959)/payload
wrpcap("mycapture.pcap", p)

The snort signature for that might look like:

alert tcp any any -> any any (msg:"Hello Traffic Detected"; content:"Hello"; nocase; sid:100000000; rev:1;)

You can then easily capture packets on the interface and run snort against the pcap.

snort -c myrules -q -A console -K none -r mycapture.pcap

The Open Information Security Foundation Working Groups are available to join here for anyone who wishes to contribute. For those of you who have never heard of OISF, they are working on developing the next generation open source Intrusion Detection / Intrusion Prevention System. The foundation is headed up by Matt Jonkman, who runs and maintains Emerging Threats. The working groups are geared toward public input so anyone who has had experience working with any IDS/IPS system can contribute ideas that they would like to see built in to this new system. The following working groups have been created:

IP Reputation
Non-Standard Acceleration
Rules Language
DDoS/Portscan
Configuration Language

Even though I have already created a better way for detecting binary packers on the network with npeid, and extracting them from pcaps, there are still many IDS rules that will look for popular binary packers. My previous script was flawed as were my rules. I have created a new python script called snortRand.py which generates the content for a signature and calculates the distance and within.

Example:

famousjs@youbantoo:~/peid2snort$ ./snortRand.py "60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB"

content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB|"; distance: 4; within: 55;