Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides
https://forum.ivorde.com/

Juniper SRX/IDP custom attack signature to block .EXE file download
https://forum.ivorde.com/juniper-srx-idp-custom-attack-signature-to-block-exe-file-download-t3771.html
Page 1 of 1

Author:  debuser [ Mon Jun 11, 2012 6:11 pm ]
Post subject:  Juniper SRX/IDP custom attack signature to block .EXE file download

HTTP transfer can take place either by requesting the direct file (example: http://somedomain.com/virus.exe), which is very easy for IDS systems or by serving the file from a dynamic server script (php) using the "attachment" content disposition mime type.

Example of http request of url direct file request using tcpdump:
Code:
.UL.....GET /nginx/download.exe HTTP/1.1
Host: 82.78.227.176
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Connection: keep-alive

...a.UL.HTTP/1.1 404 Not Found
Server: nginx/1.2.0
Date: Mon, 11 Jun 2012 21:16:12 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive


Example of http request via server script using tcpdump:
Code:
.U.T.a.kGET /nginx/download.php HTTP/1.1
Host: 82.78.227.176
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Connection: keep-alive

.a...U.THTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Mon, 11 Jun 2012 21:18:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.11
Content-Disposition: attachment; filename=filenamehere.eXe

0


Why first example is easier to match for Deep Packet Inspection systems is that the matching occurs in a very specific protocol context and it's direction is client to server (usually smaller quantity of traffic than the other direction).

A custom IDP signature can match both .exe file download cases, using a "chained" attack-type:
Code:
[edit security idp custom-attack CUSTOM:HTTP:URL:Exe]
# show
recommended-action close-client;
severity minor;
attack-type {
    chain {
        scope transaction;
        expression "m01 or m02";
        member m01 {
            attack-type {
                signature {
                    context http-header;
                    pattern "\[Content-Disposition\]: \[attachment\]; \[filename\]=.*\.\[exe\]";
                    direction server-to-client;
                }
            }
        }
        member m02 {
            attack-type {
                signature {
                    context http-get-url-parsed;
                    pattern ".*\.\[exe\]";
                    direction client-to-server;
                }
            }
        }
    }
}


Since first member implies that server-to-client traffic is inspected, make sure this feature is not disabled in the sensor config.
Adding the signature in a test policy:
Code:
# top show security idp active-policy | display set
set security idp active-policy test-download-exe
# top show security idp idp-policy test-download-exe
rulebase-ips {
    rule 0 {
        match {
            source-address any;
            destination-address any;
            attacks {
                custom-attacks CUSTOM:HTTP:URL:Exe;
            }
        }
        then {
            action {
                close-client-and-server;
            }
        }
    }
}


Checking if this signature matches the two exe file download methods:
Code:
# run show security idp attack table
IDP attack statistics:

  Attack name                                  #Hits
  CUSTOM:HTTP:URL:Exe                          2         


In both cases, my browser receives an RST packet and displays "The connection to the server was reset while the page was loading."

Exe file download request variations:
Signature will catch most, if not all, of the variations and shouldn't produce false positives, matching all fields case-insensitive.
Code:
.UL.....GET /nginx/download.exe HTTP/1.1

Code:
.UL.....GET /nginx/download.eXe HTTP/1.1

Code:
Content-Disposition: attachment; filename=filenamehere.exe

Code:
Content-Disposition: attachment; filename=filenamehere.EXe

Code:
Content-Disposition: attachment; filename="filenamehere.EXe"


Some servers can enclose the exe filename in single/double quotes that the signature covers.

Author:  debuser [ Mon Jun 11, 2012 6:14 pm ]
Post subject:  Re: Juniper SRX/IDP custom signature to block .EXE file download

Server side tcpdump packet trace showing the Juniper SRX/IDP attack matching in action for 2nd method (m01 server-to-client)

Code:
.a......GET /nginx/download.php HTTP/1.1
Host: 82.78.227.176
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Connection: keep-alive


22:10:34.669484 IP 10.1.22.3.80 > 87.210.210.206.31417: Flags [P.], ack 276, win 15840, options [nop,nop,TS val 2443626061 ecr 56737245], length 245
E..)e.@...I{
...W....Pz....R..

..=.K......
...M.a..HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Mon, 11 Jun 2012 22:10:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.11
Content-Disposition: attachment; filename=filenamehere.eXe

0


22:10:34.672166 IP client.31417 > server.80: Flags [R], seq 4241951242, win 8192, length 0


The Juniper IPS appliance detects the exe file download (attack) and closes the connection, sending a RESET tcp packet to both server and client.

Author:  debuser [ Mon Jun 11, 2012 6:29 pm ]
Post subject:  Re: Juniper SRX/IDP custom signature to block .EXE file download

This signature is only for inspirational purpose only. It will impact the throughput performance of SRX ips appliance / HTTP protocol.

Author:  Mitchel880 [ Fri Jan 23, 2015 5:28 am ]
Post subject:  Re: Juniper SRX/IDP custom attack signature to block .EXE file download

if you have many files you can also use this command to automate the operation:
Code:
cat test | awk '{print "copy " $9 " ftp:\nip_of_ftp_server\n\n";}'

where test is a filename containing the output of "DIR" command from the CISCO device.

After that you can just copy&paste the output to the CISCO device and all files will be transfered.

!!!! by admin !!!! relevant or just copy pasted from http://forum.ivorde.com/cisco-copy-files-from-cisco-device-to-ftp-server-t93.html ?

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/