Introduction to techniques and countermeasures for evading intrusion detection systems

Source: Internet
Author: User
Tags crc32

 

In the days when the network is booming, network security issues have become increasingly prominent. Black and white channels on the network are fiercely competitive in various fields of network security. The Black Hat community is constantly introducing new technologies to avoid or bypass Network Intrusion Detection Systems (NIDS). NIDS developers are constantly adding Detection techniques to their own products. However, due to the limitations of NIDS, the day of victory is leaning towards the black hat. This article will discuss some basic IDS evasion technologies and how to identify these technologies.

1. Weakness of String Matching

The IDS evasion technique for basic string matching vulnerabilities was first proposed and implemented. Some pattern-based intrusion detection devices rely almost entirely on string matching algorithms. For a poorly written pattern, attackers can easily destroy string matching. Although not all intrusion detection systems are purely based on signatures, most of them depend heavily on string matching algorithms. Here, we will use the open source code tool snort for discussion.

In UNIX systems,/etc/passwd is an important file that contains information such as the user name, group member relationship, and shell allocated to the user. We will start from monitoring access to the/etc/passwd file. The following is the snort detection rule for detection:

Alert tcp$EXTERNAL_NET any->$HTTP_SERVERS 80 (msg: "WEB-MISC/etc/passwd ";

Flags: A +; content: "/etc/passwd"; nocase; classtype: attempted-recon; sid: 1122; rev: 1)

Snort uses string matching algorithms to detect HTTP requests that contain signatures (/etc/passwd. However, the signature of this rule is too simple. Attackers can easily bypass detection by modifying attack strings (we do not consider that attack requests are sent over HTTP ). For example, change the attack request from GET/etc/passwd to GET/etc/// passwd or GET/etc/rc. d /.. /. /passwd, the modification method is countless. This is the most basic anti-virus technology, and it is relatively easy to detect this technology. You only need to carefully consider the possible variants of attacks when writing signatures. Currently, most popular intrusion detection systems have powerful string matching capabilities, which is sufficient to detect most variants of such attacks. However, some poorly-written signatures can give attackers a chance.

Attackers can also make changes on this basis, which increases the defense difficulty of the intrusion detection system with little effort. For example, in an interactive session such as telnet, attackers attempt to read the/etc/passwd file. Generally, intrusion detection systems have many signatures, such as misuse operations and backdoors. However, these signatures generally only contain the hacker tool name, file name, and program name. When obtaining the content of the/etc/passwd file, we do not directly input command lines such as cat/etc/passwd, but use a command interpreter (for example: perl) to achieve our goal:

Badguy @ hosthtml # "target = _ blank>$Content$Nbsp; perl-e

'$Foo = pack ("C11", 47,101,116, 115,115,119,100 );

@ Bam = '/bin/cat/$Foo '; print "@ bam ";'

From this command, the intrusion detection system will not reorganize the/etc/passwd characters. Obviously, it is very difficult to defend against such attacks, because it requires the intrusion detection system to be able to understand how such interpreters receive commands, which is not realistic. Of course, the intrusion detection system can also trigger alarms for suspicious behaviors using the interpreter, but it is difficult to precisely monitor attack behaviors.

By combining string processing technology and character replacement technology, we can implement more complicated string camouflage. For WEB requests, we do not need to use the command interpreter. In our requests, we can use a hexadecimal URL. The following requests can be interpreted as/etc/passwd by the target WEB server:

GET % 65% 74% 63/% 70% 61% 73% 73% 64 or

GET % 65% 74% 63/% 70a % 73% 73% 77d

To capture all variations of this string, you may need more than 1000 signatures for string matching, which is not considered UNICODE. UNICODE provides another character expression. This article will not discuss more about the unicode ids spoofing technology. For more details, see IDS Evasion with Unicode of SecurityFocus. In addition, RainForestPuppy uses another IDS spoofing technology in its HTTP scanning tool Whisker:

-I 1 IDS-evasive mode 1 (URL encoding)

-I 2 IDS-evasive mode 2 (// directory insertion)

-I 3 IDS-evasive mode 3 (prematurely ending the URL)

-I 4 IDS-evasive mode 4 (Long URL)

-I 5 IDS-evasive mode 5 (counterfeit parameter)

-I 6 IDS-evasive mode 6 (TAB Division) (not NT/IIS)

-I 7 IDS-evasive mode 7 (case sensitive)

-I 8 IDS-evasive mode 8 (Windows delimiter)

-I 9 IDS-evasive mode 9 (Session stitching) (slow)

-I 0 IDS-evasive mode 0 (NULL method)

If you want to know the technical details of these methods, refer to A Look At Whisker's Anti-IDS Tactics. Rfp separately places the anti-ids technology used by whisker into the libwhisker Library (written in perl, it provides great convenience for other programs to adopt these technologies. In addition, scanning tools such as nessus and babelweb have their own application-layer intrusion detection and avoidance technologies.

At present, IDS developers have a better understanding of various network protocols, and intrusion detection devices perform necessary protocol analysis before matching the data packet load, therefore, the current IDS can well handle the above spoofing technology. However, redundant character conversion increases the load of the intrusion detection system, sometimes outweighs the loss. To reduce the impact of this interface, developers can enable the intrusion detection system to convert characters only on specific ports.

2. Variable shell code (polymorphic shell code)

Polymorphic shell code is developed by K2. The design idea comes from virus evasion technology. Using this technology to reconstruct shell code is more dangerous, and it is very difficult for intrusion detection devices to detect. This technology is only used for buffer overflow attacks. It is very effective to deal with pattern-based detection systems. However, it is much less effective for intelligent or protocol-based detection systems. For ease of discussion, we use the SSH CRC32 buffer as an example. Let's first look at the following snort detection rules:

Alert tcp$EXTERNAL_NET any->$HOME_NET 22 (msg: "EXPLOIT ssh CRC32

Overflow/bin/sh "; flags: A +; content:"/bin/sh "; reference: bugtraq, 2347;

Reference: cve, CVE-2001-0144; classtype: shellcode-detect; sid: 1324; rev: 1 ;)

Alert tcp$EXTERNAL_NET any->$HOME_NET 22 (msg: "EXPLOIT ssh CRC32

Overflow NOOP "; flags: A +; content:" 90 90 90 9

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.