Automated Translation Automated Translation Between Attack - - PowerPoint PPT Presentation
Automated Translation Automated Translation Between Attack Languages Between Attack Languages (Translating Snort rules to STATL scenarios) (Translating Snort rules to STATL scenarios) Steven T. Eckmann Eckmann Steven T. Reliable Software
(Translating Snort rules to STATL scenarios) (Translating Snort rules to STATL scenarios) Steven T. Steven T. Eckmann Eckmann Reliable Software Group Reliable Software Group University of California University of California Santa Barbara, CA 93106 Santa Barbara, CA 93106
http://www.cs.ucsb.edu/~ http://www.cs.ucsb.edu/~rsg rsg/STAT/ /STAT/ 10 October 2001 10 October 2001
2
3
4
– – Simplifies signature sharing Simplifies signature sharing – – Supports easier comparison of different signatures for similar attacks Supports easier comparison of different signatures for similar attacks
express signatures in (or translate to) a common language
– – Leads to greater insight into attack language requirements Leads to greater insight into attack language requirements
what can language A do that B cannot, and vice versa?
– – Has not been done before Has not been done before
ArachNIDS database supports generation of signatures for several database supports generation of signatures for several IDSs IDSs with similar rule languages with similar rule languages
– Snort, Dragon, Snort, Dragon, Pakemon Pakemon, DefenseWorx DefenseWorx, Shoki Shoki
5
– – Cannot translate features that don’t exist in target language Cannot translate features that don’t exist in target language – – Domain-dependent factors Domain-dependent factors
protocols (ethernet ethernet, IP, TCP, UDP, ICMP, DNS, ...) , IP, TCP, UDP, ICMP, DNS, ...)
protocol fields
user-defined functions
– – Domain-independent factors Domain-independent factors
multi-event patterns
– sequence, or, and, loop, time, ... sequence, or, and, loop, time, ...
– – Are generated signatures “as good as” hand-crafted signatures? Are generated signatures “as good as” hand-crafted signatures? – – Is automated translation cost-effective? Is automated translation cost-effective?
6
7
– – Snort uses Snort uses preprocessors preprocessors to match signatures too complex for rule to match signatures too complex for rule language language
– – Rule header matches “action”, IP addresses, and ports Rule header matches “action”, IP addresses, and ports – – Rule options match protocol fields and payload content Rule options match protocol fields and payload content
alert
alert tcp tcp $EXTERNAL_NET any $EXTERNAL_NET any -> $HOME_NET 21 > $HOME_NET 21 ( (msg msg:"FTP :"FTP passwd passwd attempt";flags: A+; content:" attempt";flags: A+; content:"passwd passwd";) ";)
8
– – Extensions for Extensions for
IP networks (NetSTAT NetSTAT) )
Solaris BSM
WinNT event logging facility
Apache event logs
Syslog facility facility
IDMEF alerts
9
– – States States – – Transitions (consuming, Transitions (consuming, nonconsuming nonconsuming, unwinding) , unwinding) – – Signature actions Signature actions – – Assertions Assertions – – Global environment Global environment – – Local environment Local environment – – Code blocks Code blocks
10
use use tcpip tcpip; scenario scenario streambin streambin { { string CLASSIFICATION_NAME = " string CLASSIFICATION_NAME = "Streambin Streambin"; "; string CLASSIFICATION_URL = "http://www. string CLASSIFICATION_URL = "http://www.cs cs.ucsb ucsb.edu edu/~ /~rsg rsg"; "; string SOURCE_NODEADDRESS = "unknown"; string SOURCE_NODEADDRESS = "unknown"; string SOURCE_PORT = "unknown"; string SOURCE_PORT = "unknown"; string TARGET_NODEADDRESS = "unknown"; string TARGET_NODEADDRESS = "unknown"; string TARGET_PORT = "unknown"; string TARGET_PORT = "unknown"; string ADDITIONAL_DATA = "Binary packet: "; string ADDITIONAL_DATA = "Binary packet: "; int sid int sid; transition transition open (s0->data)
nonconsuming { { [ [STREAMOpen STREAMOpen s] : s.header.type == STREAM_EVENT_OPEN_C2S && s] : s.header.type == STREAM_EVENT_OPEN_C2S && (s.header. (s.header.getDstPort getDstPort() == 25 || // () == 25 || //smtp smtp s.header. s.header.getDstPort getDstPort() == 21 || //ftp () == 21 || //ftp s.header. s.header.getDstPort getDstPort() == 110) //pop () == 110) //pop { { sid sid = s.header.id; = s.header.id; SOURCE_NODEADDRESS = s.header. SOURCE_NODEADDRESS = s.header.getSrcStr getSrcStr(); (); SOURCE_PORT = s.header. SOURCE_PORT = s.header.getSrcPortStr getSrcPortStr(); (); TARGET_NODEADDRESS = s.header. TARGET_NODEADDRESS = s.header.getDstStr getDstStr(); (); TARGET_PORT = s.header. TARGET_PORT = s.header.getDstPortStr getDstPortStr(); (); } } } } transition transition data (data->data) data (data->data) consuming consuming { { [STREAM s] : (s.header.type == STREAM_EVENT_DATA_C2S && [STREAM s] : (s.header.type == STREAM_EVENT_DATA_C2S && s.header.id == s.header.id == sid sid && !s. && !s.containsBinary containsBinary()) ()) } } transition transition binary (data->binary) binary (data->binary) consuming consuming { { [STREAM s] : (s.header.type == STREAM_EVENT_DATA_C2S && [STREAM s] : (s.header.type == STREAM_EVENT_DATA_C2S && s.header.id == s.header.id == sid sid && s. && s.containsBinary containsBinary()) ()) { ADDITIONAL_DATA += s. { ADDITIONAL_DATA += s.asString asString(); } (); } } } transition transition close (data->s0) close (data->s0) unwinding unwinding { { [ [STREAMClose STREAMClose s] : s.header.id == s] : s.header.id == sid sid } } initial initial state state s0 { } s0 { } state state data { } data { } state state binary { binary { { log(" { log("Streambin Streambin compromised"); } compromised"); } } } }
11
s0 data binary
binary data close
12
– – Responses are dynamically associated with signatures at runtime Responses are dynamically associated with signatures at runtime
– – Most snort action types (e.g., Most snort action types (e.g., alert alert) ) – – Output options Output options msg msg and and logto logto – – Response/reactions options Response/reactions options resp resp and and react react
– – e.g., e.g., portscan portscan
13
– – $NAME $NAME translates to scenario parameter translates to scenario parameter NAME NAME
– – Rule actions Rule actions alert alert and and log log translate to nothing - not part of translate to nothing - not part of signature signature – – Rule actions Rule actions activate activate and and dynamic dynamic translate to looping scenario translate to looping scenario – – Rule action Rule action pass pass not translatable not translatable
no such semantics in STATL
14
– – Protocol translates to event spec Protocol translates to event spec
tcp translates translates to to [IP [IP ip ip [TCP [TCP tcp tcp]] ]], etc. , etc.
– – Source and destination IP addresses Source and destination IP addresses
192.168.1.0/24 translates translates to to ip ip.header. .header.src srcMatch Match(“192.168.1.0/24”) (“192.168.1.0/24”)
any translates to nothing translates to nothing
– – Source and destination ports Source and destination ports
21 translates to
tcp
tcp.header. .header.get getDst DstPort Port() == 21 () == 21
– – Direction Direction
determines only which IP address and port specify source and which specify destination specify destination
15
– – Most snort options translate directly to a STATL condition Most snort options translate directly to a STATL condition
ttl: :n n translates to translates to ip ip.header. .header.ttl ttl == == n n – – String matching String matching
content: content:string string; offset: ; offset:n n; depth: ; depth:m m; ; translates to translates to tcp tcp. .payloadMatch payloadMatch( (string string, ,n n, ,m m, ,nocase nocase?) ?)
16
alert alert tcp tcp $EXTERNAL_NET any $EXTERNAL_NET any -> $HOME_NET 21 > $HOME_NET 21 ( (msg msg:"FTP :"FTP passwd passwd attempt";flags: A+; content:" attempt";flags: A+; content:"passwd passwd";) ";) transition t26 (s0->s1) transition t26 (s0->s1) nonconsuming nonconsuming { { [IP [IP ip ip [TCP [TCP tcp tcp]] : ]] : ip ip.header. .header.srcMatch srcMatch(EXTERNAL_NET) && (EXTERNAL_NET) && ip ip.header. .header.dstMatch dstMatch(HOME_NET) (HOME_NET) && ( && (tcp tcp.header. .header.getDstPort getDstPort() == 21) () == 21) && ( && (tcp tcp.header.flags & (TH_ACK)) .header.flags & (TH_ACK)) && && tcp tcp.payloadMatch payloadMatch(" ("passwd passwd",0,0,false) ",0,0,false) { CLASSIFICATION_NAME = CLASSIFICATION_NAME = "FTP "FTP passwd passwd attempt" attempt"; SOURCE_NODEADDRESS = SOURCE_NODEADDRESS = ip ip.header. .header.getSrcStr getSrcStr(); (); TARGET_NODEADDRESS = TARGET_NODEADDRESS = ip ip.header. .header.getDstStr getDstStr(); (); SOURCE_PORT = SOURCE_PORT = tcp tcp.header. .header.getSrcPortStr getSrcPortStr(); (); TARGET_PORT = TARGET_PORT = tcp tcp.header. .header.getDstPortStr getDstPortStr(); (); } }
17
– – Snort preprocessors may be used to implement “complex” signatures Snort preprocessors may be used to implement “complex” signatures
preprocessors are essentially free-form
automated translation impractical
– – Sensor control issue, not a signature issue Sensor control issue, not a signature issue
– – Snort runtime issue, not a signature issue Snort runtime issue, not a signature issue
– – Abstract signature does not depend on protocol Abstract signature does not depend on protocol
18
19
– – Each snort rule applies to single packets Each snort rule applies to single packets – – A scenario may have multiple transitions, but all transitions must A scenario may have multiple transitions, but all transitions must share the initial state and the final state share the initial state and the final state – – No unwinding transitions No unwinding transitions
– – E.g., IP_ E.g., IP_datagram datagram is ok, IP_fragment is not is ok, IP_fragment is not – – No other protocols No other protocols
20
– – For that limited subset, translation is straightforward For that limited subset, translation is straightforward
– – Multiple transitions (events), unsupported protocols, or abstract Multiple transitions (events), unsupported protocols, or abstract events events – – STAT encourages a relatively small number of sophisticated STAT encourages a relatively small number of sophisticated signatures signatures – – Snort encourages a relatively large number of simple signatures Snort encourages a relatively large number of simple signatures
21
– – An NFR An NFR backend backend consists of configuration files, recorders, consists of configuration files, recorders, and N-code and N-code filters filters – – Configuration files and recorders specify what data is recorded and Configuration files and recorders specify what data is recorded and where where – – Filters specify which events match Filters specify which events match
each filter has a name, a trigger type (i.e., event), trigger modifiers (like snort protocol-specific rule options), and a “ snort protocol-specific rule options), and a “codeblock codeblock” ”
analogous to STATL transitions
– – Is it possible and practical to translate between NFR backends and Is it possible and practical to translate between NFR backends and STATL ( STATL (NetSTAT NetSTAT) scenarios? ) scenarios?
22
– – Functionally identical to the original, but structurally very different Functionally identical to the original, but structurally very different
23
– – Identify implicit states and transitions, if any Identify implicit states and transitions, if any – – Everything else is as easy as snort to STATL Everything else is as easy as snort to STATL
– – Represent STATL states with N-code global variables Represent STATL states with N-code global variables – – Use only event types that correspond to NFR triggers Use only event types that correspond to NFR triggers – – Use only event fields that correspond to NFR trigger modifiers Use only event fields that correspond to NFR trigger modifiers
24
– – STATL appears to be a superset of snort STATL appears to be a superset of snort – – STATL appears to be a superset of N-code (but the difference is less) STATL appears to be a superset of N-code (but the difference is less) – – Snort rules are very concise but not very expressive Snort rules are very concise but not very expressive – – STATL and N-code are very expressive but not nearly as concise as STATL and N-code are very expressive but not nearly as concise as snort snort
N-code is more concise than STATL for simple signatures
– – How groups of related rules/filters/transitions are translated may How groups of related rules/filters/transitions are translated may significantly affect performance significantly affect performance
25
– – Results so far are promising Results so far are promising
– – Yes, writing signatures is a human-intensive task Yes, writing signatures is a human-intensive task
– – Might allow a CVE-like (or Might allow a CVE-like (or ArachNIDS ArachNIDS-like?) database of signatures
– – Other interesting languages: Other interesting languages: bro bro, P-BEST , P-BEST – – More rigorous specifications of signature categories that can be More rigorous specifications of signature categories that can be represented in various signature languages represented in various signature languages – – Performance studies to identify whether translations are practical Performance studies to identify whether translations are practical
26
27