Rule2Alert Update
There has been an update to the Rule2Alert SVN. These updates are primarily the following, with a few minor updates as well:
Updates
===========
*Improved Detection Rate
*Evasion technique 1 added
*HTTP Cookie Support
*ACK packet added to acknowledge payload packet
*Both TCP MSS and Window Size set to length of payload
Future Work
===========
*Support for byte_test, byte_jump, isdataat
*DCE/RPC protocol support
With these new updates, Rule2Alert has a 88.5% alert rate on the successfully loaded rules in emerging-all.rules as seen in the image below:
This improved detection rate is due to the updates pushed recently to rule2alert. The added evasion technique is the altered ACK packet within the TCP 3-way handshake that was discussed here and originally here. The evasion technique is shown below using Rule2Alert:
test.rule
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion"; flow:to_client,established; content:"clsid"; nocase; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; nocase; distance:0; pcre:"/(DeleteFile|write)/i"; classtype:web-application-attack; reference:bugtraq,33867; reference:bugtraq,33942; reference:url,doc.emergingthreats.net/2009187; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT/WEB_iDefense_COMRaider; sid:2009187; rev:4;)
This image is not using the evasion technique
The following uses the first evasion technique
Now as seen in the images above, Snort still detects the evasion. This is due to the stream5 policy that is preventing the evasion from occurring. Snort is still able to detect this evasion with my current Snort setup.
Rule2Alert, using the newly discovered RevRegex library in the link above, still is not able to handle very complicated pcres. This example shown below, is an example where Rule2Alert is able to handle both a pcre as well as use the HTTP template.
test.rule
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN XPantivirus2008 Download"; flow:to_server,established; content:"GET "; depth:4; uricontent:"XPantivirus20"; nocase; pcre:"/XPantivirus20\d{2}_v\d{6}\.exe/Ui"; classtype:trojan-activity; reference:url,www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page4.html; reference:url,seo.mhvt.net/blog/?p=390; reference:url,virscan.org/report/a61cd44fc387188da2ee3fbdeda10782.html; reference:url,doc.emergingthreats.net/2008516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_XPAntivirus; sid:2008516; rev:3;)
As seen in the image above, Rule2Alert is able to change the statement:
pcre:"/XPantivirus20\d{2}_v\d{6}\.exe/Ui";
into...
uricontent:"XPantivirus2000_v000000.exe";
Rule2Alert creates a default HTTP template for the packet, and simply fills in the blanks using the uricontent statement, as well as the content:"GET "; for the HTTP method.
