Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Jun 28, 2017 2:24 pm


Author Message
debuser
Post  Post subject: Juniper SRX/IDP custom attack signature to block .EXE file download  |  Posted: Mon Jun 11, 2012 6:11 pm

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
 

Juniper SRX/IDP custom attack signature to block .EXE file download

HTTP transfer can take place either by requesting the direct file (example: http://somedomain.com/virus.exe), which is very easy for IDS systems or by serving the file from a dynamic server script (php) using the "attachment" content disposition mime type.

Example of http request of url direct file request using tcpdump:
Code:
.UL.....GET /nginx/download.exe HTTP/1.1
Host: 82.78.227.176
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Connection: keep-alive

...a.UL.HTTP/1.1 404 Not Found
Server: nginx/1.2.0
Date: Mon, 11 Jun 2012 21:16:12 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive


Example of http request via server script using tcpdump:
Code:
.U.T.a.kGET /nginx/download.php HTTP/1.1
Host: 82.78.227.176
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Connection: keep-alive

.a...U.THTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Mon, 11 Jun 2012 21:18:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.11
Content-Disposition: attachment; filename=filenamehere.eXe

0


Why first example is easier to match for Deep Packet Inspection systems is that the matching occurs in a very specific protocol context and it's direction is client to server (usually smaller quantity of traffic than the other direction).

A custom IDP signature can match both .exe file download cases, using a "chained" attack-type:
Code:
[edit security idp custom-attack CUSTOM:HTTP:URL:Exe]
# show
recommended-action close-client;
severity minor;
attack-type {
    chain {
        scope transaction;
        expression "m01 or m02";
        member m01 {
            attack-type {
                signature {
                    context http-header;
                    pattern "\[Content-Disposition\]: \[attachment\]; \[filename\]=.*\.\[exe\]";
                    direction server-to-client;
                }
            }
        }
        member m02 {
            attack-type {
                signature {
                    context http-get-url-parsed;
                    pattern ".*\.\[exe\]";
                    direction client-to-server;
                }
            }
        }
    }
}


Since first member implies that server-to-client traffic is inspected, make sure this feature is not disabled in the sensor config.
Adding the signature in a test policy:
Code:
# top show security idp active-policy | display set
set security idp active-policy test-download-exe
# top show security idp idp-policy test-download-exe
rulebase-ips {
    rule 0 {
        match {
            source-address any;
            destination-address any;
            attacks {
                custom-attacks CUSTOM:HTTP:URL:Exe;
            }
        }
        then {
            action {
                close-client-and-server;
            }
        }
    }
}


Checking if this signature matches the two exe file download methods:
Code:
# run show security idp attack table
IDP attack statistics:

  Attack name                                  #Hits
  CUSTOM:HTTP:URL:Exe                          2         


In both cases, my browser receives an RST packet and displays "The connection to the server was reset while the page was loading."

Exe file download request variations:
Signature will catch most, if not all, of the variations and shouldn't produce false positives, matching all fields case-insensitive.
Code:
.UL.....GET /nginx/download.exe HTTP/1.1

Code:
.UL.....GET /nginx/download.eXe HTTP/1.1

Code:
Content-Disposition: attachment; filename=filenamehere.exe

Code:
Content-Disposition: attachment; filename=filenamehere.EXe

Code:
Content-Disposition: attachment; filename="filenamehere.EXe"


Some servers can enclose the exe filename in single/double quotes that the signature covers.





Top
debuser
Post  Post subject: Re: Juniper SRX/IDP custom signature to block .EXE file download  |  Posted: Mon Jun 11, 2012 6:14 pm

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
Server side tcpdump packet trace showing the Juniper SRX/IDP attack matching in action for 2nd method (m01 server-to-client)

Code:
.a......GET /nginx/download.php HTTP/1.1
Host: 82.78.227.176
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Connection: keep-alive


22:10:34.669484 IP 10.1.22.3.80 > 87.210.210.206.31417: Flags [P.], ack 276, win 15840, options [nop,nop,TS val 2443626061 ecr 56737245], length 245
E..)e.@...I{
...W....Pz....R..

..=.K......
...M.a..HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Mon, 11 Jun 2012 22:10:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.11
Content-Disposition: attachment; filename=filenamehere.eXe

0


22:10:34.672166 IP client.31417 > server.80: Flags [R], seq 4241951242, win 8192, length 0


The Juniper IPS appliance detects the exe file download (attack) and closes the connection, sending a RESET tcp packet to both server and client.


Top
debuser
Post  Post subject: Re: Juniper SRX/IDP custom signature to block .EXE file download  |  Posted: Mon Jun 11, 2012 6:29 pm

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
This signature is only for inspirational purpose only. It will impact the throughput performance of SRX ips appliance / HTTP protocol.


Top
Mitchel880
Post  Post subject: Re: Juniper SRX/IDP custom attack signature to block .EXE file download  |  Posted: Fri Jan 23, 2015 5:28 am

Joined: Fri Jan 23, 2015 5:26 am
Posts: 1

Offline
if you have many files you can also use this command to automate the operation:
Code:
cat test | awk '{print "copy " $9 " ftp:\nip_of_ftp_server\n\n";}'

where test is a filename containing the output of "DIR" command from the CISCO device.

After that you can just copy&paste the output to the CISCO device and all files will be transfered.

!!!! by admin !!!! relevant or just copy pasted from http://forum.ivorde.com/cisco-copy-files-from-cisco-device-to-ftp-server-t93.html ?


Top
Display posts from previous:  Sort by  
Print view
Who is online
Users browsing this forum: No registered users and 0 guests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO