The STRING Micro-Engine
The STRING micro-engine provides pattern inspection and
alarm generation against regular expressions. It works against TCP, UDP, and
ICMP. There are currently four STRING micro-engines.
STRING HTTP has eight signatures (shown in Figure 7.16). These are
specifically tailored to look for certain command strings in HTTP traffic.
Table 7.10 shows the configurable parameters for
STRING.HTTP signatures.
Table 7.10: STRING.HTTP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
Deobfuscate |
Boolean True/False |
No |
No |
Use anti-evasive deobfuscation prior to searching for the
RegexString. |
|
Direction |
Boolean From Service To Service |
Yes |
No |
Indicates the direction in which the sensor is watching
traffic at the service port. |
|
MinMatch Length |
Number |
No |
No |
Minimum number of bytes the RegexString must
match. |
|
MultipleHits |
Boolean True/False |
No |
No |
Search for multiple RegexStrings in a single
packet. |
|
PreFilterDepth |
Number |
No |
No |
This is a list of strings to filter on or match before Regex
starts its search. At least one of the strings in this list must be found in the
first PreFilterDepth bytes of the stream to be considered a valid web
stream. |
|
RegexString |
String |
Yes |
Yes |
Regular expression to search on. |
|
ServicePorts |
Set |
No |
No |
Comma-separated list of ports or port ranges where the
service resides. |
|
StripTelnet Options |
Boolean True/False |
No |
No |
Strips Telnet option characters from data before
searching. |
STRING ICMP signatures will fire upon detecting a series of three
pluses (+) in an ICMP packet, as shown here:
Selection> 16
2155 (SubSig 0) Modem DoS : +++ (ICMP)
(Sig Number to EDIT) or (ENTER to CONTINUE) >
Table 7.11 shows the configurable parameters for
STRING.ICMP signatures.
Table 7.11: STRING.ICMP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
Direction |
Boolean from Service to Service |
No |
No |
Indicates the direction inwhich the sensor is watching
traffic at the service port. |
|
MinMatchLength |
Number |
No |
No |
Minimum number of bytes the RegexString must
match. |
|
MultipleHits |
Boolean True/False |
No |
No |
Search for multiple Regex-Strings in a single
packet. |
|
RegexString |
String |
Yes |
Yes |
Regular expression to search on. |
|
ServicePorts |
Set |
No |
No |
Comma-separated list of ports or port ranges where the
service resides. |
|
StripTelnetOptions |
Boolean True/False |
No |
No |
Strips Telnet option characters from data before
searching. |
STRING.TCP looks for strings in commands or text in TCP sessions.
There are approximately 165 different signatures in this micro-engine. Refer to
Appendix A for
a complete list.
Examples of some of the signatures are
-
3117-KLEZ worm The alarm triggers when a
filename Gn.Exe is found as an audio/x-wav attachment to an e-mail.
-
3118-rwhoisd format string This sig fires
upon detecting a soa command sent to a
rwhois server with a large argument.
-
3119-WS_FTP STAT overflow Fires upon
detecting a stat command with an argument that is greater
than 450 characters.
-
3120-ANTS virus The alarm triggers when
an e-mail is found with the attachment ANTS3SET.EXE.
-
3121-Vintra MailServer EXPN DoS Fires
when *@ is detected as the argument to the SMTP command EXPN.
-
3122-SMTP EXPN root Recon Fires when an
attempt to expand the e-mail alias of the root user with
the SMTP command EXPN is detected.
-
3123-NetBus Pro Traffic Alarm fires upon
detecting a Netbus Pro communications channel setup.
-
3124-Sendmail prescan Memory
Corruption This signature looks for an abnormally long (1000+ characters)
MAIL FROM (SubSig 0) or RCPT TO
(SubSig 1) SMTP command.
Table 7.12 shows the configurable parameters for
STRING.TCP signatures.
Table 7.12: STRING.TCP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 forthe master parameters. |
|
Direction |
Boolean from Service to Service |
Yes |
No |
Indicates the direction in which the sensor is watching
traffic at the service port. |
|
MinMatch Length |
Number |
No |
No |
Minimum number of bytes the RegexString must
match. |
|
MultipleHits |
Boolean True/False |
No |
No |
Search for multiple RegexStrings in a single
packet. |
|
RegexString |
String |
Yes |
Yes |
Regular expression to search on. |
|
ServicePorts |
Set |
No |
No |
Comma-separated list of ports or port ranges where the
service resides. |
|
StripTelnetOptions |
Boolean True/False |
No |
No |
Strips Telnet option characters from data before
searching. |
STRING.UDP looks for strings in UDP traffic. Without beating this
to a pulp, remember we are looking at strings in payloads. A lot of the tools
used to exploit systems use UDP. Refer to Appendix A for a complete list. Some
examples of UDP string signatures are
-
4607-Deep Throat Response This signature
triggers when the string My Mouth is Open is detected in a
UDP packet sent on well-known Deep Throat UDP ports. Alarm level 5.
-
4608-Trinoo (UDP) This signature triggers
when the string trinoo is detected on any UDP port known
to have Trinoo traffic. Alarm level 5.
-
4609-Orinoco SNMP Info Leak This
signature triggers when a specially crafted packet is detected with a
destination of UDP port 192. This is a good indicator that attempts are being
made to retrieve the SNMP community names from the target. Alarm level 4.
-
4610-Kerberos 4 User Recon This signature
triggers when a null character sent to UDP port 750 is detected. This is a good
indicator that a Kerberos user recon attack may be occurring. Alarm level
0.
Table 7.13 shows the configurable parameters for
STRING.UDP signatures.
Table 7.13: STRING.UDP Parameters
|
Parameter |
Data Type |
Protected |
Required |
Description |
|
Master parameters |
|
|
|
Refer to Table 7.1 for the master parameters. |
|
Direction |
Boolean from Service to Service |
No |
No |
Indicates the direction in which the sensor is watching
traffic at the service port. |
|
MinMatchLength |
Number |
No |
No |
Minimum number of bytes the RegexString must
match. |
|
ServicePorts |
Set |
No |
No |
Comma-separated list of ports or port ranges where the
service resides. |
Sections
Comments (0 posted)
Syndication
