Techniques of Network Attacks and Defenses
Transcript of Techniques of Network Attacks and Defenses
Categories of Network Security Devices
▶ Firewall
▶ Virtual Private Network (VPN)
▶ Intrusion Detection System (IDS)
▶ Anti-virus Gateway
▶ Anti-spam/phishing System
▶ Web Application Firewall (WAF)
▶ Application Control System
▶ Content Filtering System
▶ Data Leak Prevention
▶ Unified Threat Management (UTM)
▶ Security Information and Event Management (SIEM)
2 / 61
Firewall
▶ Sit between internal and external networks to decide whatkinds of traffic should be allowed and denied
▶ Network-based or host-based
bad guy
BP
good guy
external netfirewall
DMZpublic server
internal server
3 / 61
Packet-filtering firewall
Act as a packet filter
▶ Set up an access control list (ACL)
▶ Filter packets according to the rules with multiple fields
Example of ACLAction Src addr. Dest addr. Protocol Src port Dest port Control bit
allow internal external TCP any 80 any
allow external internal TCP 80 >1023 ACK
deny all all all all all all
▶ The filtering is based on the fields of individual packets only.No flow state is kept.
▶ Any packets from the external with src port==80 & destport>1023 & ACK are permitted to the internal (not in anestablished connection).
4 / 61
Stateful firewall
Features▶ Remember what has happened in previous packets, e.g., flow
tracking, so that reply traffic can be allowed automatically.
▶ Make the decision also based on memory of flow tracking.
Example of flow-tracking tableSrc addr. Dst addr. Src port Dst port timeout (s)
10.1.1.20 10.34.12.11 45678 80 60
10.1.1.34 10.22.11.45 53222 80 40
▶ State table updated dynamically in real-time
▶ Only packets in an established connection can enter.
▶ Extra memory needed, e.g., 1GB RAM for 100,000 entries inthe pfSense firewall
5 / 61
Stateful firewall (cont.)
What flows can be memorized except TCP flows?
▶ UDP/ICMP flow: allow incoming UDP/ICMP packets only ifthere was a matched outgoing packet.
▶ FTP flow: allow FTP data connection only if a matched FTPcommand connection has been established.
Stateless vs. Stateful▶ Stateless: less complex, easier to implement, but may be
insecure
▶ Stateful: more complex, harder to implement, but more secure
Efficiency in rule matching
▶ Basically need a fast packet classification algorithm
▶ With ASIC implementation for high-speed firewall
6 / 61
Proxy-based firewall
Differences from other types of firewall
▶ Act as a proxy between client and server
▶ Two connections established: one from client to firewall andthe other from firewall to server
Features▶ Easier to inspect and filter traffic in the application layer, e.g.,
for web applications or even TLS traffic
▶ Limited protocol support (good for security, but bad fordiverse applications)
▶ A potential performance bottleneck (will maintain manyconnections in a large environment)
8 / 61
Example: Netfilter in Linux
Netfilter componentsJan Engelhardt, last updated 2014-02-28 (initial: 2008-06-17)
arptables
filter
arptables
ebtables
nat/filterbroute
ebtables
ip6tables
ip6tables
iptables
iptables
natNAT
engine
L3/4
trac
kers
L7 h
elpe
rs
conntrack
Connectiontracking
Xtables
Netfilter hook API
Userspace tools
Netfilter kernel components
from and to to network stack; hardware
NAT Loggingvia nf_log
ulogd2
Queueingvia nf_queue
(custom)
raw/mangle/filter raw/mangle/filter
Brid
ging
other networking components
nf_tables
nftiptables-nftables
source: By Jan Engelhardt - Own work, Origin SVG PNG, CC BY-SA 3.0,
https://commons.wikimedia.org/w/index.php?curid=7294051
9 / 61
Netfilter hooks
▶ Refers to a specific stage of the packet while it’s beingprocessed through the kernel.
▶ Can register with a callback function to adddtional processing
▶ Six hooks in the Linux kernel
ingress prerouting routingdecision
input
localprocess
forward
routingdecision
output
postrouting
*The ingress hook is added for nftables since Linux kernel v4.2 forfiltering L2 packets.
10 / 61
nftables
nftables: the new packet classification framework that replaces theexisting {ip,ip6,arp,eb} tables infrastructure.
nft commandThe command line tool to interact with nftables at userspace
tables family refers to a one of the following table types:ip, arp, ip6, bridge, inet, netdev.
chains type refers to the kind of chain to be created.hook refers to an specific stage of the packet whileit’s being processed through the kernel.Also priority and policy .
rules handle is an internal number that identifies a certainrule.position is an internal number that is used to insert arule before a certain handle.
11 / 61
nftables (cont.)
Type of chain
▶ filter : Supported by arp, bridge, ip, ip6 and inet table families
▶ route: Mark packets (like mangle for the output hook, forother hooks use the type filter instead), supported by ip andip6
▶ nat: In order to perform Network Address Translation,supported by ip and ip6.
Hook▶ The hooks for ip, ip6 and inet families are: prerouting, input,
forward, output, postrouting.
▶ The hooks for arp family are: input, output.
▶ The bridge family handles ethernet packets traversing bridgedevices.
▶ The hook for netdev is: ingress.
12 / 61
nft command: example
# nft list ruleset
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=9.59 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=11.3 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 9.593/10.423/11.253/0.830 ms
# nft add table inet my_table
# nft add chain inet my_table my_filter_chain { type filter hook
input priority 0 \; }
# nft list ruleset
table inet my_table {
chain my_filter_chain {
type filter hook input priority filter; policy accept;
}
}
13 / 61
nft command: example (cont.)# nft add rule inet my_table my_filter_chain ip saddr 8.8.8.8
counter drop
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1003ms
# nft list ruleset
table inet my_table {
chain my_filter_chain {
type filter hook input priority filter; policy accept;
ip saddr 8.8.8.8 counter packets 2 bytes 168 drop
}
}
# nft flush table inet my_table
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=9.38 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=11.8 ms
^C
14 / 61
More examples of nft commands
▶ reject traffic coming to the local machine which was not originated fromusnft add rule filter input ct state new reject
▶ log and accept incoming ssh trafficnft add rule filter input tcp dport 22 ct state new log
prefix \"New SSH connection: \" accept
▶ accept a maximum of 10 ICMP echo-request packets per secondnft add rule filter input icmp type echo-request limit rate
10/second accept
▶ matches for all traffic from the 192.168.1.0/24 network to the interfaceeth0. The IPv4 address 1.2.3.4 is used as source for the packets thatmatch this rulenft add rule nat postrouting ip saddr 192.168.1.0/24 oif
eth0 snat 1.2.3.4
See more examples on wiki.nftables.org and the syntax of nfton nft(8).
15 / 61
Virtual private network
What is VPN?Building private point-to-point communication across a publicnetwork, so that users can communicate over the public network asif the communication were over the private network.
▶ Allow remote users to access internal resources (in privatenetworks) securely.
▶ For site-to-site communication between intranets.
▶ Bypass geo-blocking or censorship, or stay anonymous on theInternet.
Common VPN protocols
▶ L2TP, IPSec
▶ TLS/SSL
▶ WireGuard
16 / 61
IPSec: Authentication Header (AH)
Provide data integrity with a hash function and a shared secret key(also guarantee the data origin).
source: kkc.github.io/2018/03/21/IPSEC-note
17 / 61
IPSec: Authentication Header Format0 8 16 24 31
Next Header Payload Length Reserved
Security Parameters Index (SPI)
Sequence Number
Integrity Check Value (ICV)
· · ·
▶ Next Header: the upper-layer protocol
▶ Payload Length: length of this header in 4-byte units, mius 2
▶ SPI: to identify the security association of the receiving party
▶ Sequence Number: a monotonic strictly increasing sequencenumber to prevent replay attacks
▶ ICV: integrity check of this packet (by secure hash function)
18 / 61
IPSec: Encapsulation Security Payload (ESP)
Provide confidentiality, authentication, and integrity.
source: kkc.github.io/2018/03/21/IPSEC-note
19 / 61
IPSec: ESP Packet Format
0 8 16 24 31
Security Parameters Index (SPI)
Sequence Number
Payload data*
Padding (0-255 octets)
Pad Length Next Header
Integrity Check Value (ICV)
· · ·
*from the original IP packet
20 / 61
Internet Security Association and Key ManagementProtocol (ISAKMP)
Purpose
▶ For establishing security association (SA) and cryptographickeys
▶ Can work with key exchange protocol like Internet KeyExchange (IKE)
Security association (SA)
Establishment of shared security attributes between two networkentities, such as cryptographic algorithm and mode, and encryptionparameters and keys. SA is one-way (i.e., one SA for eachdirection).
21 / 61
Diffie-Hellman Key Exchange Protocol
Alice
1. Randomly selects a positive number XA < p (private)
2. Send YA = aXA mod p to Bob (public; a is also public)
3. Compute KA = Y XAB mod p as Alice’s secret key, where YB is
a string sent from Bob
Bob
1. Randomly selects a positive number XB < p (private)
2. Send YB = aXB mod p to Alice (public; a is also public)
3. Compute KB = Y XBA mod p as Biob’s secret key, where YA is
a string sent from Bob
Alice and Bob share the same secret key K = KA = KB .
22 / 61
TLS ≤ 1.2 handshake protocol: full handshake
Client ServerClientHello
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished
[ChangeCipherSpec]
Finished
Application data
Secure session
DH: generate ephemeral key
DH: generate ephemeral keyRSA: random premaster secret
DH: generate shared secretRSA: decrypt pms
*: may not be present inall ciphersuites.[. . .]: sent over the TLSalert protocol.single arrow: plaintext flows,double arrow: encrypted flows
23 / 61
TLS 1.3 handshake protocol: full handshake
Client ServerClientHello
key share,pre shared key,. . .ServerHello
key share,pre shared key,. . .
Encrypted extensions
CertificateRequest*
Certificate*
CertificateVerify*
Finished
Application data*
Certificate*
CertificateVerify*
Finished
Application data
Generate handshake traffic key
Generate handshake traffic key
Generate application traffic keyGenerate application traffic key
*: may not be present inall ciphersuites.single line: plaintext flows,double line: encrypted flows (HS key)triple line: encrypted flows (AP key)
24 / 61
WireGuard VPN application/protocol
▶ A new VPN application/protocol with open source
▶ Just around 4000 lines of kernel code as a module onLinux/FreeBSD, much smaller than OpenVPN
▶ High performance and power saving
Key features of the protocol
▶ Connectionless (UDP only)
▶ Curve25519 (an ECC curve) for key exchange (by ECDH)
▶ ChaCha20 for encryption
▶ Poly1305 for data authentication (by message authenticationcode)
▶ SipHash for hashtable keys
▶ BLAKE2s for hashing
25 / 61
Intrusion Detection System (IDS)
Firewall rules are basically policy-based
▶ What IP addresses/ports are allowed?
▶ What application content is allowed?
Requirements of IDS
▶ Do incoming/outgoing packets carry an intrusion?
▶ Are there suspocious activities on a system?
Types of IDS
▶ Network IDS (NIDS): deployed on the border of networks
▶ Host IDS (HIDS): deployed on a host
26 / 61
Detection and reaction in IDS
Table: Detection method
Misuse Anomaly
IdeaSee whether the traffic/log hasknown signs of misbehavior
See whether anomaly occurs intraffic/log (What is normal?)
Method by Manually crafted rulesStatistical approach or machine
learning
ProsCan find known misbehavior
efficientlyCan detect unknown orcomplicated misbehavior
ConsIneffective for new misbehavior
(false negative)Probably many false positives
Reaction to misbehavior▶ Log alerts or packets
▶ Block packets, processes or activities (known as IntrusionPrevention System, IPS)
▶ Detection or prevention?
27 / 61
General flow of NIDS
Packet capture from the network
Packet decoding/Prepro-cessing*/Protocol parsing
Detection engine
Detection output
*preprocessing: packet reassembly, connection state tracking, etc.
28 / 61
Suricata NIDS
Features▶ Open-source network intrusion/prevention system
▶ Network security monitoring
▶ Offline PCAP file analysis
▶ Support TCP session tracking and target-based packet reassembly
▶ A lot of protocol parsers
▶ Rule-based detection, but also support Lua scripting and IP reputation
▶ Support many logging formats
▶ Support multi-threading
29 / 61
Suricata rules
Examplealert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful
Clydesdale Bank Phish 2020 -12 -30"; flow:established ,to_server;
http.method; content :"POST"; http.request_body; content :" uzername =";
depth :9; nocase; fast_pattern; content :"&ip="; nocase; distance :0;
content :"&ua="; nocase; distance :0; content :"& password ="; nocase;
distance :0; classtype:credential -theft; sid :2031468; rev:2;
metadata:created_at 2020 _12_30 , former_category PHISHING , updated_at
2020 _12_30 ;)
source: rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules
Principle of rule design
▶ Should be generalized enough to describe as many exploits fora vulnerability as possible, rather than a specific exploit (i.e.,hard to evade).
30 / 61
Zeek NIDS
Features▶ Fully passive traffic analysis off a network tap or monitoring port (good
for network security monitoring)
▶ Cluster-support for large-scale deployments
▶ Unified management framework for operating both standalone and clustersetups
▶ A lot of protocol parsers
▶ Scripting Language with event-based programming model
▶ Powerful tracking and managing network state over time
▶ Comprehensive logging of activity for offline analysis and forensics
31 / 61
Zeek scripts
Exampleevent http_request(c: connection , method: string , original_URI: string ,
unescaped_URI: string , version: string) &priority =5
{
if ( ! c?$http_state )
{
local s: State;
c$http_state = s;
Conn:: register_removal_hook(c, finalize_http);
}
++ c$http_state$current_request;
set_state(c, T);
c$http$method = method;
c$http$uri = unescaped_URI;
if ( method !in http_methods )
Reporter :: conn_weird (" unknown_HTTP_method", c, method);
}
32 / 61
OSSEC HIDS
Features▶ Scalable, multi-platform, open source HIDS
▶ Actively monitor and analyze data from multiple log data in real-time
▶ Process and file level analysis to detect malicious applications and rootkits
▶ Respond to attacks and changes on the system in real time
▶ Application and system level auditing for compliance with commonstandards such as PCI-DSS
▶ Detect changes of files and registry settings to the system. Also maintaina forensic copy of the data as it changes over time.
▶ Collects system information, such as installed software, hardware,utilization, network services and listeners
33 / 61
Detection by signatures
▶ Generally implemented by deep packet spection (DPI)
▶ Involve protocol parsing and multiple string matching,compared with longest prefix matching on routers andmulti-field classification on firewalls
▶ Representation of signatures: fixed string vs. regularexpression, usually along with contextual info such as withincertain protocol fields
▶ Types of regular expression• Basic regular expression: .at matches any three-character
string ending with “at”.• Extended regular expression: [hc]?at matches “at”, “hat”,
and “cat”.• Perl compatible regular expression: \d+.\d+.\d+.\d+
matches one or more digits divided by three separate dots.
▶ Common signature-matching algorithm: Aho-Corasickalgorithm (based on finite automaton)
34 / 61
Aho-Corasick algorithm
To match {hers,his,she}, set up a deterministic finite automaton(DFA).
▶ Implement a tranisition table and a failure function
▶ Given the current state and one input character, get the nextstate
▶ failure function: next state to go if the input is not in thetransition
0 1 2 8 9
6 7
3 4 5
¬{h, s}
h e r s
i s
sh e
During match: state transition in the DFA.
35 / 61
Aho-Corasick algorithm (cont.)
Advantages
▶ Deterministic linear execution time (no matter how manystrings to be matched simultaneously)
▶ Support of regular expressions (a mapping between regularexpression and DFA exists)
Disadvantages
▶ Consume a lot of memory space if the data structure of thetranisition table is not compressed. (how to compress?Non-deterministic FA (NFA)?)
▶ A large tranisition table cannot be fit into the CPU cache(slower execution).
▶ Look up only one character at a time (what if looking upmultiple characters at a time?)
36 / 61
Detection by machine learning
Advantage: good for detecting attacks that cannot be easily orprecisely described by signatures.
Types of machine learning
supervised learning learn from a set of data that contains both thesamples and their labels
unsupervised learning identify commonalities in unlabeled samplesand group them into clusters.
reinforcement learning take actions in an environment to maximizethe culmulative reward
Machine learning models
artificial neural network, decision tree, support vector machine(SVM), Bayesian networks, random forest, etc.
37 / 61
Concept of neural network
x0
x1
...
xD
y(1)0
y(1)1
...
y(1)
m(1)
. . .
. . .
. . . y(L)0
y(L)1
...
y(L)
m(L)
y(L+1)1
y(L+1)2
...
y(L+1)C
input layer1st hidden layer Lth hidden layer
output layer
38 / 61
Accuracy in the detection
Class in the detection▶ Positive: the target to be detected is claimed or existent
▶ Negative: the target to be detected is not claimed or existent
▶ Target: intrusion, malware, spam, phishing mail, etc.
Total populationActual class
Positive Negative
Positive True positive (TP) False positive (FP)Predicted class Negative False negative (FN) True negative (TN)
Errors in the detection: FP and FN
39 / 61
Performance measurement
▶ Precision=TP/(TP+FP)
▶ Recall=TP/(TP+FN), also called sensitivity
▶ Specificity=TN/(FP+TN)
▶ False-positive rate= FP/(FP+TN)
▶ False-negative rate= FN/(TP+FN)
▶ F-measure= 2*precision*recall/(precision + recall), i.e., theharmonic mean of precision and recall
Watch out the balance of positive and negative samples.
41 / 61
Receiver operating characteristic (ROC) curve
Indonderivative work: Kai walz (talk) - ROC space.png, CC BY-SA 3.0,
commons.wikimedia.org/w/index.php?curid=8326140
42 / 61
Multi-threading in Suricata
Suricata supports four thread modules and three runmodes.
Thread Module(1) Packet acquisition (PAQ), (2) Decode and Stream Applicationlayer, (3) Detection, (4) Output
Runmodes
Single Single-threaded mode
AutoFP The task of processing a packet is pipelined tomultiple stages. Each thread handles one stage, andthere is at least one thread in a stage.
Workers Multiple workers, each of which single-handedlyprocesses the packets it acquires (i.e., each threadruns all thread modules).
43 / 61
AutoFP mode vs. Workers mode
AutoFP modeCore 0 PAQ STREAM DETECT OUTPUT
1 DECODE DETECT OUTPUT
2 DETECT OUTPUT
3 PAQ STREAM DETECT
Worker modeCore 0 PAQ DECODE STREAM DETECT OUTPUT
1 PAQ DECODE STREAM DETECT OUTPUT
2
3
source: Performance Characterization of Suricata’s Thread Models, xbu.me/
article/performance-characterization-of-suricata-thread-models
44 / 61
100Gb/s monitoring solution
Functions of Arista 7504: (1) aggregate the inputs of the optical taps from the
Internet connections (2) create a 10G Link Aggregation Group (LAG) of that
aggregated traffic to pass to the 7150 device.
source: 100G Intrusion Detection,
commons.lbl.gov/display/cpp/100G+Intrusion+Detection
45 / 61
NIDS evasion
DefinitionAn attacker modifies the attacks to evade from NIDS detection,while keeping the effectiveness of the attacks.
Methods of evasion▶ Making the attacks low-profile
▶ Denial-of-service (DoS) attack to NIDS
▶ Splitting packets to smaller ones
▶ Overlapped fragments or TCP segments
▶ Time-to-live (TTL) manipulation
▶ Content mutation with equivalent semantics
▶ Input or poison attacks for adversarial learning
46 / 61
Evasion by denial-of-service (DoS) attacks
DoS attacks▶ Leverage a bug of IDS to make NIDS crash (Note that the
inspected packets are inputs to NIDS)
▶ Algorithmic complexity attacks
Example of algorithmic complexity attacks
Consider the following rule and algorithm:alert tcp $EXT NET any � $HOME NET 99(msg:“AudioPlayer Jukebox exploit”;content:“fmt=”; //P1pcre:“/ˆ (mp3|ogg) /”, relative; //P2content:“player=”; //P3pcre:“/ˆ (.exe|.com) /”, relative; //P4content:“overflow”; //P5sid:5678)
47 / 61
Evasion by algorithmic complexity attack
algorithmic complexity: O(nk), where n is the payload length andk is the number of predicates.
48 / 61
Evasion by packet splitting
Remember IP fragmentation and TCP segmentation?
bad guy
fragment 2:“/shadow”
fragment 1:“cat /etc”
NIDS
protected server
looks normal...
Complexity of reassembly
▶ Buffer IP fragments/TCP segments in the memory and trackthe offsets.
▶ Track a number of TCP connection states.
▶ Overlapped IP fragments/TCP segments (intepreteddifferently on different systems).
49 / 61
Tools for packet splitting
Tool: fragroute
Synopsis fragroute [-f file] host
Description fragroute intercepts, modifies, and rewrites egresstraffic destined for the specified host
Usage ▶ Configure ip frag size or tcp seg size inthe rule set (in file) to fragment or segmentpackets to size.
▶ Configure ip ttl ttl to set the IP time-to-livevalue of every packet to ttl.
▶ Configure order random|reverse to re-orderthe packets in the queue randomly, or in reverse.
50 / 61
Tools for packet splitting (cont.)
Tool: fragrouter
Synopsis fragrouter [ -i interface ] [ -p ] [ -g
hop ] [ -G hopcount ] ATTACK
Description Fragrouter is a program for routing network traffic insuch a way as to elude most network intrusiondetection systems.
Usage ▶ -F1 (in ATTACK): Send data in ordered 8-byteIP fragments.
▶ -F3: Send data in ordered 8-byte IP fragments,with one fragment sent out of order.
▶ -T1: Complete TCP handshake, send fake FINand RST (with bad checksums) before sendingdata in ordered 1-byte segments.
51 / 61
Overlapped fragments or TCP segments
0 1 2 3 4 5 6 7 8 9 10 111 1 1
2 2
3 3 3
4 4 4 4
5 5 5
6 6 6
Reassembled using policy: First (Windows, SUN, MacOS, HPUX)1 1 1 4 2 2 3 3 3 6 6 6Reassembled using policy: Last/RFC791 (Cisco)1 4 4 4 4 2 5 5 5 6 6 6Reassembled using policy: Linux (Linux)1 1 1 4 4 2 5 5 5 6 6 6Reassembled using policy: BSD (AIX, FreeBSD, HPUX,VMS)1 1 1 4 4 2 3 3 3 6 6 6Reassembled using policy: BSD-Right (HP Jet Direct)1 4 4 4 2 2 5 5 5 6 6 6
52 / 61
Evasion by content mutation
Content mutation for Web attacksPossible mutations of GET /cgi-bin/broken.cgi
▶ GET /%63%67%69%2d%62%69%6e/broken.cgi
▶ GET /xyz/../cgi-bin/./broken.cgi
▶ GET /CGI-BIN/broken.cgi
▶ GET /cgi-bin\broken.cgi▶ GET%<tab>/cgi-bin/broken.cgi<tab>HTTP/1.0
Many more encoding methods, e.g., double encoding, whichfurther encodes % as %25.
54 / 61
Evasion by content mutation (cont.)
Content mutation for exploit code
▶ XOR encoding
▶ BASE64 encoding
▶ Packing (compression, encryption, etc.)
▶ Polymorphism (relying on a mutation engine to change theencoded content in each exploit)
▶ Metamorphism (modifying binary code to a logicallyequivalent version)
55 / 61
Mutation for evading an IDS classifier
In the high-dimensional feature space,
▶ small solid circles: benign features
▶ crosses: malicious features
▶ triangles: adversarial features
source: Han et al.,“Evaluating and Improving Adversarial Robustness of
Machine Learning-Based Network Intrusion Detectors,”
https://arxiv.org/abs/2005.07519, 2020.
56 / 61
YARA: pattern matching tool for virus scanning
YARA▶ A tool to create descriptions of malware families based on
textual or binary patterns
▶ Each description, a.k.a rule, consists of a set of strings and aboolean expression which determine its logic.
Example of descriptions
rule silent_banker : banker
{
meta:
description = "This is just an example"
threat_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
57 / 61
YARA modules
▶ PE/ELF: to create more fine-grained rules for PE/ELF files byusing attributes and features of the PE file format
▶ Cuckoo: to create YARA rules based on behavioralinformation generated by Cuckoo sandbox
▶ Magic: to identify the type of the file based on the output ofthe file command
▶ Hash: to calculate hashes (MD5, SHA1, SHA256) fromportions of your file and create signatures based on thosehashes
▶ Math: to calculate certain values from portions of your fileand create signatures based on those results
▶ Dotnet: to create more fine-grained rules for .NET files byusing attributes and features of the .NET file format
▶ Time: to use temporal conditions in your YARA rules
58 / 61
SpamAssassin
An anti-spam platform giving system administrators a filter toclassify email and block spam (unsolicited bulk email).Mostly rule-based, but also support Bayesian learning.
An example of detection rulesub check_for_forged_gmail_received_headers {
my ($self , $pms) = @_;
use constant GOOGLE_MESSAGE_STATE_LENGTH_MIN => 60;
use constant GOOGLE_SMTP_SOURCE_LENGTH_MIN => 60;
my $from = $pms ->get(’From:addr’);
if ($from !~ /\ bgmail \.com$/i) { return 0; }
my $xgms = $pms ->get(’X-Gm-Message -State ’);
my $xss = $pms ->get(’X-Google -Smtp -Source ’);
my $xreceived = $pms ->get(’X-Received ’);
my $received = $pms ->get(’Received ’);
if ($xreceived =~ /by 10\.\S+ with SMTP id \S+/) { return 0; }
if ($xreceived =~ /by 2002\:a\d\d\:\w+\:\S+ with SMTP id \S+/) { return 0; }
if ($received =~ /by smtp\. googlemail \.com with ESMTPSA id \S+/) {
return 0;
}
if ( (length($xgms) >= GOOGLE_MESSAGE_STATE_LENGTH_MIN) &&
(length($xss) >= GOOGLE_SMTP_SOURCE_LENGTH_MIN)) {
return 0;
}
return 1;
}
59 / 61
Web Application Firewall (WAF)
Purpose: to protect web servers/applications from external attacks
▶ OWASP top-10 list, e.g., SQL injection
▶ User authentication and access control
▶ Denial-of-service (DoS) attacks
▶ Hide details of web servers
▶ Stop web scraping
▶ Data leak prevention
▶ Vulnerability assessment
▶ Auditing and logs
60 / 61
Exercises
1. Follow the instructions to download and install Zeek package:Zeek installation
2. Run Zeek to analyze the pcap file 2009-M57-day11-18.pcap.
3. According to the output logs, write scripts to tell• What is the top 10 most active originator host?• What is the top 10 most visited host in HTTP?• What is the top 10 most queried name in DNS?• What is the top 10 most pair of hosts in conn.log?• What is the top 10 most popular user agent in HTTP?
61 / 61