An intrusion feature library for IDs--an analysis of the vulnerabilities in creating instances

Source: Internet
Author: User
Tags rfc
To effectively capture intrusion, IDS must have a strong database of intrusion characteristics, just as the public security department must have a sound criminal information base. However, IDs generally with the characteristics of the database are more rigid, encounter "face-changing" intrusion behavior often meet not acquaintance. Therefore, it is necessary for the administrator to learn how to create a characteristic data template to meet the actual needs, so that the million change should change! This article will introduce the concept, category and how to create characteristics of intrusion features, hoping to help readers grasp the method of "changing face" as soon as possible.

Basic concepts of characteristics (signature)

The characteristic of IDs is the sample data used to discriminate the type of communication information, which is usually divided into several typical cases and recognition methods:

Connection attempts from reserved IP addresses: can be easily identified by checking the source address of the IP header (IP header).

Packet with illegal TCP flag union: Can be identified by contrasting the set of flags in the TCP header with the differences between known correct and error-labeled unions.

Email with special virus information: it can be identified by contrasting the subject information of each email with the subject information of the morbid email, or by searching for a specific name.

DNS buffer overflow attempts in query load: You can identify buffer overflow attempts that take advantage of DNS domains by resolving DNS domains and checking the length of each domain. Another way to identify this is to search for a sequence code combination of "Shell Code Utilization" (exploit shellcode) in the payload.

A Dos attack caused by thousands of identical commands on a POP3 server: The alarm message is issued by tracking the number of consecutive occurrences of a command to see if it exceeds the preset limit.

File access attacks on FTP servers using file and directory commands without logging on: Creating a feature template with status tracking to monitor the FTP conversations that have been successfully logged on, and an intrusion attempt that has been issued without authentication.

From the above classification, we can see that the feature covers a wide range, with a simple header field value, a highly complex connection state tracking, and an extended protocol analysis. One leaf can know the autumn, this article will start from the simplest features, discuss its function and development, customization method in detail.

Note also that different IDs products feature features that differ from each other. For example, some network IDs systems allow very little customization of existing feature data or the writing of required feature data, while others allow customization or writing of feature data in a wide range, or even any feature; some IDs systems can only check for determined headers or load values. Others can obtain data from any location of any information packet.

What is the role of characteristics?

This seems to be a clear answer to the question: The feature is to detect whether the suspicious content in the packet is really "not going to" model, that is, "bad molecular cloning." The IDS system itself carries this important part, why do you need to customize or write features? It's like this: you may often see some familiar communication streams roaming the Web, since the IDs system's signature database is outdated or the communication information itself is not an attack or probe data, the IDS system is not paying attention to them, and then your curiosity arises and you want to give the alarm when the suspicious data is passed again. To capture them and take a closer look at where they come from, the only way to do this is to make some custom configurations or write new feature data for existing feature databases.

The customization or writing of the feature can be coarse and fine, depending entirely on the actual demand. Or to determine whether or not an exception has occurred, not to identify the specific attack name, thereby saving resources and time, or to identify specific means of attack or exploit, so as to obtain more information. I feel that the former applies to the leadership of comrades, the latter need to use specific actors, macro plus micro, the enemy do not want to walk in!

Third, Chief Feature representative: Header value (header values)

The structure of the header value is relatively simple, and the exception header information can be clearly identified, so the chief candidate for the feature data is it. A classic example is a TCP packet that clearly violates the TCP standards specified in RFC793, and sets up SYN and fin tags. This data packet is used by many intrusion software to launch attacks against firewalls, routers, and IDS systems. There are several sources of exception header values:

Since most operating systems and applications are written with the assumption that the RfC is strictly adhered to, and no error handlers are added for exception data, many exploits that contain header values deliberately violate the RFC's standard definition and blatantly expose the shoddy behavior of the object being attacked.

Many imperfect software that contains error codes also produces header value data that violates the RFC definition.

Not all operating systems and applications are fully compliant with the RFC definition, at least one aspect is not reconciled with the RfC.

Over time, protocols that perform new functions may not be included in existing RFCs.

Due to the above conditions, strict RFC-based IDs feature data may result in false or false positives. In this respect, the RFC is continually updated with the new violations, and it is necessary to periodically review or update the existing signature data definitions.

The illegal header value is a very basic part of the feature data, and the legitimate but questionable header value is equally important. For example, if a suspicious connection to port 31337 or 27374 is present, it can be reported that a Trojan horse may be active, and other more detailed probing information can be used to further determine whether it is a real horse or a fake horse.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.